There I was at KubeCon, hanging out with some friends from Nebulaworks. We were talking about deploying container images.
“I always tell people to use the SHA256 digest of containers. That way you know exactly what you’re deploying.” Said one of my buddies.
“Sure, but that’s a pain.” I replied, not thinking it through. “Just use the tags! That’s what everybody does.”
90 minutes later we’re sitting in a talk about container registries and some of the risky things you can do with them.
“You should always deploy by digest.” Said Jon, one of the presenters. “When you deploy by tag, you’re basically piping curl into bash in production. Don’t do that.”
To show what’s possible, they implemented a chat service using pushes and pulls from a registry. “It’s built on what Jon has advised us to never do: pull by tag.” Jon’s colleague explained. This was just a fun example, but it was also a scary illustration of the scope of what a malicious user could do under the right circumstances.
My friend leaned over and loud-whispered “SHA256!”
“Just use the tags!” was a naive response.
I should have asked more questions. “Everybody deploys by tags, is that just a common mistake? A lot of registries have a feature that makes tags immutable, is that equivalent?” That would have left room for me to learn something.
There’s so much knowledge out there. You’ll inevitably miss something. No matter how much you know, you’re still usually better off asking questions than making statements.
You might also want to check out these articles: