Validating Container Images

In order to mitigate supply chain risks, Welkin enforces that all platform container images use both a tag and a digest. While tags like v1.0 provide human-readable versioning, they are mutable; if a tag is overwritten in the registry, the code running in your environment can change without notice. By enforcing a cryptographic digest, we ensure that every Node in the environment pulls the exact same byte-for-byte image. This eliminates "tag drift" and guarantees that deployments remain immutable, reproducible, and verifiable across their entire lifecycle.

This policy is implemented using Kyverno, which acts as an admission controller to automatically validate that all platform container images adhere to this.