From d0977d9501ca94d8a8d11c12fb6485838ffaf9a3 Mon Sep 17 00:00:00 2001
From: Chris Carty <chriscartydev@gmail.com>
Date: Sun, 5 Jul 2020 22:53:50 -0400
Subject: [PATCH] updated policy to actually work as expected

---
 latest-tag/constraint.yaml | 6 +++---
 latest-tag/template.yaml   | 7 +++----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/latest-tag/constraint.yaml b/latest-tag/constraint.yaml
index 93ff145..b920441 100644
--- a/latest-tag/constraint.yaml
+++ b/latest-tag/constraint.yaml
@@ -7,6 +7,6 @@ spec:
     kinds:
       - apiGroups: [""]
         kinds: ["Pod"]
-    parameters:
-      tags:
-        - "latest"
\ No newline at end of file
+  parameters:
+    tags:
+      - "latest"
\ No newline at end of file
diff --git a/latest-tag/template.yaml b/latest-tag/template.yaml
index 2b8317f..5ccbb71 100644
--- a/latest-tag/template.yaml
+++ b/latest-tag/template.yaml
@@ -23,11 +23,10 @@ spec:
 
         violation[{"msg":msg}] {
             container := input.review.object.spec.containers[_]
-            tag :=  split(container.image, ":")[1]
 
-            not tag != "latest"
-
-            msg := sprintf("container <%v> uses '%v' tag", [container.name, tag])
+            satisfied := [good | tags = input.parameters.tags[_] ; good = endswith(container.image, tags)]
+            any(satisfied)
+            msg := sprintf("container <%v> uses '%v' tag. Disallowed tags '%v'", [container.name, container.image, input.parameters.tags])
         }