Using Latest or Blank Image Tag in Kubernetes

High Risk infrastructure-security
kubernetescontainer-securityimage-managementsupply-chaindeployment-securitymutable-tags

What it is

Kubernetes deployments using 'latest' image tags or no tag specification create security vulnerabilities by potentially deploying untested, vulnerable, or malicious container images. The mutable nature of 'latest' tags means deployments can unpredictably pull different images over time, introducing known CVEs without proper review.

# VULNERABLE: Deployments using latest or no tags

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
  namespace: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web-app
  template:
    metadata:
      labels:
        app: web-app
    spec:
      containers:
      - name: web-server
        image: nginx:latest  # VULNERABLE: Mutable latest tag
        ports:
        - containerPort: 80
      - name: app-backend
        image: node  # VULNERABLE: No tag (defaults to latest)
        ports:
        - containerPort: 3000

# VULNERABLE: StatefulSet with latest tag
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: database
spec:
  serviceName: postgres
  replicas: 1
  selector:
    matchLabels:
      app: database
  template:
    metadata:
      labels:
        app: database
    spec:
      containers:
      - name: postgres
        image: postgres:latest  # VULNERABLE: Mutable database image
        env:
        - name: POSTGRES_PASSWORD
          value: secret
# SECURE: Deployments with pinned versions

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
  namespace: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web-app
  template:
    metadata:
      labels:
        app: web-app
    spec:
      containers:
      - name: web-server
        image: nginx:1.25.3-alpine  # SECURE: Specific version tag
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
      - name: app-backend
        image: node:18.17.0-alpine  # SECURE: Specific version tag
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000

# SECURE: StatefulSet with immutable digest
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: database
spec:
  serviceName: postgres
  replicas: 1
  selector:
    matchLabels:
      app: database
  template:
    metadata:
      labels:
        app: database
    spec:
      containers:
      - name: postgres
        # SECURE: Immutable SHA256 digest pinning
        image: postgres@sha256:a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456
        imagePullPolicy: IfNotPresent
        env:
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password

💡 Why This Fix Works

The vulnerable examples use 'latest' tags or omit tags entirely, allowing mutable images that can change unpredictably and introduce security vulnerabilities. The secure version pins images to specific version tags or immutable SHA256 digests, ensuring consistent and predictable deployments with imagePullPolicy set to IfNotPresent to prevent unexpected image pulls.

Why it happens

Kubernetes manifests use 'latest' image tags for convenience during development and testing. These convenient but mutable tags often make it into production deployments without being replaced with specific version pins.

Root causes

Latest Tag for Development Convenience

Kubernetes manifests use 'latest' image tags for convenience during development and testing. These convenient but mutable tags often make it into production deployments without being replaced with specific version pins.

Omitted Image Tags

Container image specifications in Kubernetes manifests omit tags entirely (e.g., 'nginx' without ':version'). When no tag is specified, Kubernetes defaults to 'latest', creating the same security issues as explicit latest usage.

No Image Versioning Strategy

Organizations lack formal image version management and pinning strategies for Kubernetes deployments. Without documented policies and processes, teams default to using mutable tags instead of implementing version control.

Development Tags in Production

Kubernetes manifests use development-oriented mutable tags like 'dev', 'staging', 'nightly', or 'rolling' in production environments. These tags continuously update with new builds, introducing untested changes into production.

Missing Policy Enforcement

Kubernetes clusters lack admission controllers (Kyverno, OPA Gatekeeper) to enforce image pinning policies. Without automated enforcement, there's no prevention mechanism for deploying workloads with mutable or missing image tags.

Fixes

1

Pin Images to Specific Versions

Replace 'latest' tags and add explicit version tags to all container image references in Kubernetes manifests (e.g., 'nginx:1.25.3', 'node:18.17.0-alpine'). Include full semantic versions (major.minor.patch) for maximum specificity.

2

Use SHA256 Digest References

Reference images by immutable SHA256 digests instead of tags (e.g., 'nginx@sha256:abc123...'). Digest-based references provide cryptographic guarantees that the exact same image is deployed every time, preventing tag manipulation.

3

Deploy Admission Controllers

Install admission controllers like Kyverno or OPA Gatekeeper to enforce image pinning policies. Configure policies to reject or mutate Pod specs that use 'latest' tags or omit image tags entirely.

4

Enforce Versioning in CI/CD

Establish image versioning policies in your CI/CD pipelines that automatically tag images with semantic versions or commit SHAs. Integrate checks that prevent deployment manifests with 'latest' tags from reaching production.

5

Configure IfNotPresent Pull Policy

Set imagePullPolicy: IfNotPresent in container specs to prevent Kubernetes from pulling images on every pod restart. This ensures pinned versions remain consistent and reduces the risk of accidentally pulling newer vulnerable images.

6

Implement Regular Version Updates

Establish processes to regularly review and update pinned image versions after security reviews and testing. Use automated tools like Renovate or Dependabot to create PRs for image updates with changelogs and vulnerability scans.

Detect This Vulnerability in Your Code

Sourcery automatically identifies using latest or blank image tag in kubernetes and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities