Using :latest or Missing Image Tags
Detect containers using the :latest image tag or no tag at all. Learn why pinning image versions is critical for reproducible Kubernetes deployments.
Image Management
Detailed Explanation
The Problem with :latest
The :latest tag in container images is mutable — it points to whatever was pushed most recently. Using it in Kubernetes manifests creates several problems.
Example with Tag Issues
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
labels:
app: frontend
spec:
replicas: 2
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
securityContext:
runAsNonRoot: true
containers:
- name: web
image: nginx:latest
resources:
limits:
cpu: 200m
memory: 128Mi
- name: sidecar
image: fluent/fluentd
resources:
limits:
cpu: 100m
memory: 64Mi
What the Validator Flags
- Warning: Container 'web' uses ':latest' tag. Pin to a specific version.
- Warning: Container 'sidecar' image 'fluent/fluentd' has no tag. This defaults to ':latest'.
Why Pin Image Versions
| Problem | With :latest | With pinned version |
|---|---|---|
| Reproducibility | Different nodes may pull different images | Same image everywhere |
| Rollbacks | Cannot roll back to "previous latest" | kubectl rollout undo works |
| Auditing | No record of what version ran | Image tag in manifest is the record |
| Cache behavior | imagePullPolicy: Always required |
Can use IfNotPresent |
| Security scanning | Can't track which vulnerabilities apply | Scan specific version |
Best Practices for Image Tags
- Use semantic versions:
myapp:3.1.0, notmyapp:latest - Use SHA digests for critical workloads:
myapp@sha256:abc123... - Set
imagePullPolicy: IfNotPresentwhen using pinned tags - Never use
:latestin production manifests - Automate image updates with tools like Renovate or Flux image automation
Use Case
Enforcing image tag policies in CI/CD pipelines to prevent non-reproducible deployments. Critical for regulated environments that require audit trails of deployed software versions.