Labels Package

Check if the image has the expected labels set. The rules in this package distinguish file-based catalog (FBC) images from all other images. When checking an FBC image, a policy rule may use a different set of rule data. An FBC image is detected by the presence of the operators.operatorframework.io.index.configs.v1 label.

Package Name

  • labels

Rules Included

Deprecated labels

Check the image for the presence of labels that have been deprecated. Use the rule data key deprecated_labels to set the list of labels to check.

Solution: Update the image build process to not set the deprecated labels.

  • Rule type: FAILURE

  • FAILURE message: The %q label is deprecated, replace with %q

  • Code: labels.deprecated_labels

  • Source

Disallowed inherited labels

Check that certain labels on the image have different values than the labels from the parent image. If the label is inherited from the parent image but not redefined for the image, it will contain an incorrect value for the image. Use the rule data disallowed_inherited_labels key to set the list of labels to check, or the fbc_disallowed_inherited_labels key for fbc images.

Solution: Update the image build process to overwrite the inherited labels.

  • Rule type: FAILURE

  • FAILURE message: The %q label should not be inherited from the parent image

  • Code: labels.disallowed_inherited_labels

  • Source

Inaccessible image config

The image config is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

  • Rule type: FAILURE

  • FAILURE message: Image config of the image %q is inaccessible

  • Code: labels.inaccessible_config

  • Source

Inaccessible image manifest

The image manifest is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

  • Rule type: FAILURE

  • FAILURE message: Manifest of the image %q is inaccessible

  • Code: labels.inaccessible_manifest

  • Source

Inaccessible parent image config

The parent image config is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

  • Rule type: FAILURE

  • FAILURE message: Image config of the image %q, parent of image %q is inaccessible

  • Code: labels.inaccessible_parent_config

  • Source

Inaccessible parent image manifest

The parent image manifest is not accessible.

Solution: Check the provided authentication configuration and the credentials within it.

  • Rule type: FAILURE

  • FAILURE message: Manifest of the image %q, parent of image %q is inaccessible

  • Code: labels.inaccessible_parent_manifest

  • Source

Optional labels

Check the image for the presence of labels that are recommended, but not required. Use the rule data optional_labels key to set the list of labels to check, or the fbc_optional_labels key for fbc images.

Solution: Update the image build process to set the optional labels.

  • Rule type: WARNING

  • WARNING message: The optional %q label is missing. Label description: %s

  • Code: labels.optional_labels

  • Source

Required labels

Check the image for the presence of labels that are required. Use the rule data required_labels key to set the list of labels to check, or the fbc_required_labels key for fbc images.

Solution: Update the image build process to set the required labels.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: labels.required_labels

  • Source

Rule data provided

Confirm the expected rule data keys have been provided in the expected format. The keys are required_labels, fbc_required_labels, optional_labels, fbc_optional_labels, disallowed_inherited_labels, fbc_disallowed_inherited_labels, and deprecated_labels.

Solution: If provided, ensure the rule data is in the expected format.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: labels.rule_data_provided

  • Source