Pin by digest / immutable tags
Definition
Pinning by digest or using immutable tags refers to the practice of referencing container images or software artifacts by their unique cryptographic hash (digest) rather than by mutable tags like latest. This ensures that the exact version of the artifact is used, preventing issues related to unexpected changes or updates in the underlying image or software. Immutable tags, once created, cannot be altered, providing a consistent and reliable reference for deployments.
Secure Settings Example
# Kubernetes Deployment using image pinning by digest
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 3
template:
spec:
containers:
- name: myapp-container
image: myregistry/myapp@sha256:abc123def456ghi789jkl012mno345pq678rst901uvw234xyz567abc890def123
Insecure Settings Example
# Kubernetes Deployment using mutable tag
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 3
template:
spec:
containers:
- name: myapp-container
image: myregistry/myapp:latest