Pinning Container Images by Digest: Preventing Upstream Tampering

Overview

This article replaces mutable image tags with immutable SHA256 digests across all HelmRelease values and sidecar containers. Image tags like v2.31.2 can be re-pushed with different content by the upstream maintainer — your next pod restart silently pulls the modified image. Digests are content-addressed and cannot be changed after publishing.