Ensure that every container image has a hash digest in all Kubernetes workloads

MEDIUM

Description

Using an image digest can provide stability and ensure that software being deployed is of known versions for auditing purposes. The digest helps specify the version by uniquely identifying a specific set of layers while avoiding the pitfalls associated with image tags. For more information, see the Kubernetes documentation.
References:
https://kubernetes.io/docs/concepts/containers/images/
https://cloud.google.com/architecture/using-container-images

Remediation

In additional to having a tag assigned (whether it's latest or a specific name or number), images are assigned a hash digest. Specifying that image digest while pulling the image ensures the image being pulled has not been changed. Therefore, it is recommended to edit 'pod:spec:containers:image' field value from : with @.

Policy Details

Rule Reference ID: AC_K8S_0069
Remediation Available: No
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks