Kaniko: image tag references are misleading/incorrect
Context
In the Dockerfile the image being used is
FROM gcr.io/kaniko-project/executor:v1.6.0-debug as upstream
In the hardening manifest yaml the image tags are being set as
tags:
- "v1.6.0"
- "v1.6.0-debug"
- "debug"
- "latest"
Issue Labeling them all the same thing when this is really the :debug version of the executor is a mischaracterization for teams wanting to use the more secure non-debug version. The true upstream of v1.6.0 has no shell (where the -debug version does).
Suggested Resolution Suggest either creating a new variant for the straight non-debug style of Kaniko or removing the non-debug tag "v1.6.0" from the hardening manifest.
Thanks