Skip to content

k8s-immutable-image

Image Tag should be fixed - not latest or blank

It is highly recommended to avoid creating containers with Docker images that are only specified by a non-immutable tag (such as latest - which changes everytime you build a new image). Always prefer to specify a fixed tag on your container images.

By using a tag like latest, you simply have no way of knowing what version of the software is running at a given time. This would highly complicate investigating a compromise of your infrastructure and would make it difficult to rollback to a previous known safe version as well.

Examples

Insecure Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld
  namespace: hello
spec:
  replicas: 2
  selector:
    matchLabels:
      app: helloworld
  template:
    metadata:
      labels:
        app: helloworld
    spec:
      containers:
      - name: helloworld
        image: bigcorp/helloworld:latest
        ports:
        - containerPort: 80

Secure Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld
  namespace: hello
spec:
  replicas: 2
  selector:
    matchLabels:
      app: helloworld
  template:
    metadata:
      labels:
        app: helloworld
    spec:
      containers:
      - name: helloworld
        image: bigcorp/helloworld:v1.2.34
        ports:
        - containerPort: 80

More information