Skip to content
This repository was archived by the owner on Sep 23, 2025. It is now read-only.

Commit 2774881

Browse files
0xiso0xiso
committed
Preserve original tag when resolving an image tag to digest
Signed-off-by: Yuto Iso <6024009+0xiso@users.noreply.github.com>
1 parent e58d7f5 commit 2774881

2 files changed

Lines changed: 47 additions & 2 deletions

File tree

pkg/webhook/validator.go

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1078,7 +1078,12 @@ func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
10781078
logging.FromContext(ctx).Debugf("Unable to resolve digest %q: %v", ref.String(), err)
10791079
continue
10801080
}
1081-
cs[i].Image = digest.String()
1081+
// Keep the original tag and append the digest
1082+
if tagRef, ok := ref.(name.Tag); ok {
1083+
cs[i].Image = fmt.Sprintf("%s@%s", tagRef.Name(), digest.DigestStr())
1084+
} else {
1085+
cs[i].Image = digest.String()
1086+
}
10821087
}
10831088
}
10841089
}
@@ -1102,7 +1107,12 @@ func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
11021107
logging.FromContext(ctx).Debugf("Unable to resolve digest %q: %v", ref.String(), err)
11031108
continue
11041109
}
1105-
cs[i].Image = digest.String()
1110+
// Keep the original tag and append the digest
1111+
if tagRef, ok := ref.(name.Tag); ok {
1112+
cs[i].Image = fmt.Sprintf("%s@%s", tagRef.Name(), digest.DigestStr())
1113+
} else {
1114+
cs[i].Image = digest.String()
1115+
}
11061116
}
11071117
}
11081118
}

pkg/webhook/validator_test.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,9 @@ func TestValidatePodSpec(t *testing.T) {
136136
// Resolved via crane digest on 2022/09/29
137137
digestNewer := name.MustParseReference("gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e")
138138

139+
// Digest only reference (without tag)
140+
digestOnly := name.MustParseReference("gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4")
141+
139142
ctx, _ := rtesting.SetupFakeContext(t)
140143

141144
// Non-existent URL for testing complete failure
@@ -681,6 +684,38 @@ func TestValidatePodSpec(t *testing.T) {
681684
},
682685
),
683686
cvs: authorityPublicKeyCVS,
687+
}, {
688+
name: "digest only",
689+
ps: &corev1.PodSpec{
690+
Containers: []corev1.Container{{
691+
Name: "user-container",
692+
Image: digestOnly.String(),
693+
}},
694+
},
695+
customContext: config.ToContext(context.Background(),
696+
&config.Config{
697+
ImagePolicyConfig: &config.ImagePolicyConfig{
698+
Policies: map[string]webhookcip.ClusterImagePolicy{
699+
"cluster-image-policy": {
700+
Images: []v1alpha1.ImagePattern{{
701+
Glob: "gcr.io/*/*",
702+
}},
703+
Authorities: []webhookcip.Authority{
704+
{
705+
Key: &webhookcip.KeyRef{
706+
Data: authorityKeyCosignPubString,
707+
PublicKeys: []crypto.PublicKey{authorityKeyCosignPub},
708+
HashAlgorithm: signaturealgo.DefaultSignatureAlgorithm,
709+
HashAlgorithmCode: crypto.SHA256,
710+
},
711+
},
712+
},
713+
},
714+
},
715+
},
716+
},
717+
),
718+
cvs: pass,
684719
}}
685720

686721
for _, test := range tests {

0 commit comments

Comments
 (0)