Digester resolves tags to digests for container and init container images in Kubernetes Pod and Pod template specs.

It replaces container image references that use tags:

spec:
  containers:
  - image: gcr.io/google-containers/echoserver:1.10

With references that use the image digest:

spec:
  containers:
  - image: gcr.io/google-containers/echoserver:1.10@sha256:cb5c1bddd1b5665e1867a7fa1b5fa843a47ee433bbb75d4293888b71def53229

Digester can run either as a mutating admission webhook in a Kubernetes cluster, or as a client-side Kubernetes Resource Model (KRM) function with the kpt or kustomize command-line tools.

If a tag points to an image index or manifest list, digester resolves the tag to the digest of the image index or manifest list.

The webhook is opt-in at the namespace level by label, see Deploying the webhook.

If you use Binary Authorization, digester can help to ensure that only verified container images can be deployed to your clusters. A Binary Authorization attestation is valid for a particular container image digest. You must deploy container images by digest so that Binary Authorization can verify the attestations for the container image. You can use digester to deploy container images by digest.

1. Download the digester binary for your platform from the Releases page.

   Alternatively, you can download the latest version using these commands:

   VERSION=v0.1.7
   curl -Lo digester "https://github.com/google/k8s-digester/releases/download/${VERSION}/digester_$(uname -s)_$(uname -m)"
   chmod +x digester

2. Install kpt v1.0.0-beta.1 or later, and/or install kustomize.

3. Run the digester KRM function:

   • Using kpt:

     kpt fn eval [manifest directory] --exec ./digester

   • Using kustomize:

     kustomize fn run [manifest directory] --enable-exec --exec-path ./digester

   By running as an executable, the KRM function has access to container image registry credentials in the current environment, such as the current user's Docker config file and credential helpers. For more information, see the digester documentation on Authenticating to container image registries.

Install the digester webhook in your Kubernetes cluster by following the steps in the package documentation.

• Tutorial

• Motivation

• Recommendations

• Authenticating to container image registries

• Configuring GKE Workload Identity for authenticating to Container Registry and Artifact Registry

• Resolving common issues

• Troubleshooting

• Building digester

• Developing digester

• Releasing digester

This is not an officially supported Google product.