Sertaç Özercan

@francRang why not set `release` or `tag` here? for example: `helm install ... --set image.release=v3.9.0@sha123... --set postInstall.labelNamespace.image.tag=v3.9.0@sha789` (in this case v3.9.0 is just for human readability purposes and will be...

@francRang What I meant was, do we need this PR if we can specify a digest as part of `release` or `tag` value? Are there any advantages of adding a...

@willbeason are we okay to close this original issue with compiler sharding changes in v3.8?

I think image labels can only be extracted by doing an inspect on the image and we wouldn't know this information at the admission time. This data needs to be...

If you store your scan info (like vulnerabilities) in image labels, wouldn't you need to rebuild images constantly to update the labels?

Usually container registries or container scanning solutions store this information separately, referencing the image digest. So you would query the relevant API to get this information. They would also periodically...

I believe kubelet and CRI gets the image uid then checks with SecurityContext/PSP on whether this is allowed: https://github.com/kubernetes/kubernetes/blob/f0b7ad3ee06c5168fef5fa4f01fe445ece595f89/pkg/kubelet/kuberuntime/kuberuntime_container.go#L303-L311 As Max mentioned, unfortunately this information is not available for admission...

@maxsmythe sounds like it does, I thought that was interesting. ``` // In order to work properly this assumes that the kubelet performs a final check on runAsUser // or...

Thanks for the report @ranjith-vatakkeel. Looks like this might be a bug in the AKS policies, I am checking with the team.

Tests are a little flaky unfortunately. Does it change if you run it multiple times or does it fail in the same step every time?