Disable update of "top level" objects

[mlbiam]

Question
Is there a way to disable the policy-controller's rewriting of top level objects' image tags to specific digests? For instance if I have the image: docker.io/mlbiam/openuison-operator:0.0.2 in a CronJob, the Pod gets image: index.docker.io/mlbiam/openunison-kubernetes-operator@sha256:a4af44351bfcf7fe1cfd05a9711f560127f6522508f89fd797e64d8a296d2159, which makes sense. The CronJob also gets this image though. Is there a way to disable this behavior?

While I understand that goal of pinning the specific hash, it means that my GitOps controller is no longer the source of truth for my configuration (and could create a "thrashing" scenario where my controller and what is in cluster are constantly out of sync).

[hectorj2f]

No. There isn't a way to disable the mutation from a tag to a digest. Using tags is a bad security practice. Your gitOps controller could use a digest with the image version, e.g. ldocker.io/library/golang:1.17.1@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a

[mlbiam]

Using tags is a bad security practice

digests are important because without a signature it's the only way for kubernetes to guarantee that the image being used is trusted. With signature validation it's redundant. I know the image is trusted because it's been validated against the identity used to sign it from the transparency log. If I don't trust that identity, i don't trust the automated process that generates the digest that's put in the manifest. it's redundant.

I get being "secure" by default, but this sort of rigidity is likely to lead to policy enforcement being turned off or being ignored. It's not a great idea to make assumptions for cluster operators without context and without the option to let more advanced users configure exceptions based on their level of risk tolerance. it will lead to a better UX and a more secure environment.

[CodeGlitcher]

Kinda have the same problem.
We use a few kuberntes operators en for some it is not really easy to override every image to the digest.

if the policy controller would have a option:
Juist validate the current digest of the selected tag on a pod start it would be perfect.
Our goal is juist to make sure that the pod we start is the pod we signed.