Require imagePullPolicy Always in CEL expressions

If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.

Policy Definition

/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: imagepullpolicy-always
 5  annotations:
 6    policies.kyverno.io/title: Require imagePullPolicy Always in CEL expressions
 7    policies.kyverno.io/category: Sample in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      If the `latest` tag is allowed for images, it is a good idea to have the
14      imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future
15      pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always`
16      when the `latest` tag is specified explicitly or where a tag is not defined at all.      
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21  - name: imagepullpolicy-always
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    validate:
28      cel:
29        expressions:
30          - expression: >-
31              object.spec.containers.all(container, 
32              (container.image.endsWith(':latest') || !container.image.contains(':')) ? 
33              container.imagePullPolicy == 'Always' : true)              
34            message: >-
35              The imagePullPolicy must be set to `Always` when the tag `latest` is used.

Create policy issue