Hey everyone! I've been curious about the use of image digests in pod deployments. I know some admission controllers can replace image references from tags to digests on the fly when creating a pod. What's the real purpose of this policy? Are there any security advantages to doing this?
1 Answer
Switching from tag-based references to digest-based ones offers better immutability and helps prevent supply-chain tampering. It ensures that deployments are verifiable and reproducible, minimizing the risk of unexpected changes or vulnerabilities.
But if the admission controller is changing the tag to a digest dynamically, wouldn't the digest just update the next time the pod is created? What am I overlooking?