Skip to content

Support Semantic Version Constraints for Pipelines #4383

New issue
New issue
Open
Feature
#4386
Open
Support Semantic Version Constraints for Pipelines#4383
Feature
#4386
Assignees
mozesl-nokia
Labels
documentationImprovements or additions to documentationenhancementNew feature or requestneeds-designIssues which need a bit of a design before we can start implementing them.
@mozesl-nokia

Description

@mozesl-nokia
mozesl-nokia
opened on Feb 10, 2026

Semantic Version Constraints for Pipelines

Problem

There are use cases where we want to ensure that the running pipeline function is up-to-date with the latest available security patches (whilst still being compatible with the current configuration).

Currently, the package author has to go in and manually update the function image tag whenever a new version is
available, requiring a new revision of the original package and all downstream packages as well.

Proposal

Add a new tag field to the pipeline function definition, which can either contain a literal tag (e.g.: v1.0.3) or
a semantic version constraint (e.g.: >= v1.0.3). Kpt should find the highest matching version available of the
function and use that when running the pipeline.

Listing all available tags for an image is supported on the API, according to
https://specs.opencontainers.org/distribution-spec/?v=v1.0.0#content-discovery.
(This should also be supported by some library: potentially https://github.com/distribution/distribution - deprecated in 3.0.0; https://github.com/regclient/regclient?)

In the examples, https://github.com/Masterminds/semver constraint format was used, but another library may be used during implementation.
(see https://github.com/Masterminds/semver?tab=readme-ov-file#checking-version-constraints for a more complete spec)

Example

apiVersion: kpt.dev/v1
kind: Kptfile
metadata:
  name: example-package
info:
  description: This is an example package.
pipeline:
  mutators:
    - image: ghcr.io/kptdev/krm-functions-catalog/apply-setters:v1.2.3 # old format still valid
      configPath: apply-setters-cfg.yaml
    - image: set-namespace                                             # default registry name is applied as before
      tag: ">= 1.2.3, < 1.3.0"                                         # a v is automatically prepended, so this will match with the tag "v1.2.4"
      configPath: package-context.yaml
  validators:
    - image: ghcr.io/kptdev/krm-functions-catalog/kubeconform:v0.3.6   # v0.3.6 will be overwritten!
      tag: ~0.4.3                                                      # short-hand for ">= 0.4.3, < 0.5.0"
      configMap:
        strict: "true"
    - image: ghcr.io/kptdev/krm-functions-catalog/kubeconform
      tag: v0.4.3                                                      # specifying exact tag also works
      configMap:
        strict: "true"

Caveats

We must ensure that we follow compatibility expectations (patch versions being backwards compatible, etc.) in the function catalog.

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationenhancementNew feature or requestneeds-designIssues which need a bit of a design before we can start implementing them.

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions