This repository was archived by the owner on Jul 11, 2023. It is now read-only.
This repository was archived by the owner on Jul 11, 2023. It is now read-only.
container images are not pinned #3715
Closed
Description
Container images should include the sha256 so that if there is a supply chain attack users are less vulnerable.
Ex: image: envoyproxy/envoy-alpine:v1.18.3
Should be - image: envoyproxy/envoy-alpine:v1.18.3@sha256:6225750f76e1e995690ce4a512aaff3ba5d9d70426926ec821b867346a703c0e
In this current instance this is made more problematic by specifying ALWAYS for image pull policy, meaning the second the container is updated with malicious payload it can be pulled down when a pod is created.
Scope (please mark with X where applicable)
- New Functionality [ x ]