Add digest to all container images references in manifests and documentation

[nberlee]

Feature Request

Adding a SHA256 digest to container image references in Talos machine config (static manifests) during new installations/upgrades and release notes (installer image) improves integrity control by ensuring immutability, providing verification and enhancing traceability. This leads to more secure, reliable, and consistent control plane deployments.

Description

Using a SHA256 digest in addition to the container image tag in Talos makes sense for several reasons, particularly with respect to integrity control. In this context, integrity control refers to the assurance that a container image has not been tampered with or altered in any way from its original state. By adding @sha256: to the image reference, Talos can offer its users more secure and reliable control plane deployments.

Immutability: When you use only a container image tag, there is no guarantee that the image associated with that tag will remain the same. Tags are mutable, meaning they can be updated and overwritten with new images, potentially leading to inconsistencies in deployed containers. By including a SHA256 digest, you lock the reference to a specific image, ensuring that the same image is always deployed.

Verification: A SHA256 digest provides a means to verify that the image has not been altered since it was created. By comparing the hash of the downloaded image to the expected hash, you can confirm that the image is unmodified and has not been tampered with. This ensures that the container's contents are consistent and secure.

Traceability: Including a digest with container image references makes it easier to trace the origin of a container and its contents. This can be useful in diagnosing issues or identifying security vulnerabilities in Kubernetes control plane images.

Compatibility: While the proposed enhancement does not replace signature solutions like Cosign, it complements them by adding an additional layer of security. Signature solutions verify the identity of the container image publisher and provide assurances that the image comes from a trusted source. By implementing SHA256 digests in Talos can offer users a more robust and comprehensive approach to container security.

In summary, adding a SHA256 digest to container image references in Talos during new installations and upgrades is a valuable enhancement for integrity control. This feature would ensure immutability, provide verification and enhance traceability. By implementing this improvement, Talos can help users ensure that they are deploying secure, reliable, and consistent container images in the manifests.

Places where this needs to be changed

• Documentation, where the installer image is referenced, including on release notes.
• Machine configuration generation (talosctl gen)
• Upgrade of kubernetes (talosctl upgrade-k8s)
• ...?

[nberlee]

Digest of Kubernetes release images can be easily parsed from: https://sbom.k8s.io/version/release
This is ideal as it is a separate server to the registry.

But its not that easy as the version tag is referencing a multi-arch manifest, which is not is the sbom

[github-actions]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.