[Best Practice Proposal]: Production CNFs should use a specific version instead of latest tag for container images

Question

[Best Practice Proposal]: Production CNFs should use a specific version instead of latest tag for container images

Opened this issue 2 years ago · 3 comments

Summary

A production CNF should use an immutable tag that maps to a semantic version of the application.

"You should avoid using the :latest tag when deploying containers in production as it is harder to track which version of the image is running and more difficult to roll back properly."

Ref https://kubernetes.io/docs/concepts/containers/images/

Motivation

No response

Goals

No response

Non-Goals

No response

Proposal

Using the latest tag is an anti-pattern..

The :latest tag is what is applied to an image which does not have a tag, which does not mean, as some people expect, that :latest always points to the most-recently-pushed version of an image.

Workload Context

No response

User Stories

No response

Notes, Caveats, Constraints

As a related item we recommend locking image tags on the container registry for production releases to avoid overwriting a known good image. https://learn.microsoft.com/en-us/azure/container-registry/container-registry-image-tag-version#lock-deployed-image-tags

References

Answer 1 · 2023-02-28T18:09:35.000Z

Draft document https://docs.google.com/document/d/19pMyaFnZQoBzMMNm9DDt3wrMzl2aLlJ0GINWGDlMTzo/edit

Answer 2 · 2024-02-08T19:30:50.000Z

draft started. good first issue

Answer 3 · 2024-02-08T19:31:03.000Z

test in test catalog exists