How can I disable mutation for managed sidecars

[BitRacer]

I'm using a managed version of service mesh in GKE, Anthos Service Mesh. The managed service mesh injects envoy sidecars and references the containers by tag, not with a sha. The result of mutating the sha on the sidecar is that ASM cannot determine what version is installed and chaos ensues.

Is there a way to disable mutation for a container, or set of containers. for example gcr.io/releases/asm*

I only want to skip this mutation for theses sidecars. Not for the main container, which is signed and delivered with a sha

I can't find any examples of how to set this in the cluster policy or mutating webhook config.

[hectorj2f]

@BitRacer I wouldn't recommend to disable the mutation for a container. In addition to that, I won't recommend it as a security best practice consists on relying on digests instead of tags.

[hectorj2f]

It is not possible today to disable it with the existing source code. Feel free to make any changes to that logic.

[zhuoyang]

It would be nice to be able to disable the mutation, it is more obvious what version of image is running on the cluster There are container registries that support immutable tags anyway, that could resolve the security concern of using tags.

[Mukuls77]

cosign support verify using image with Tag, as during cosign verify cosign converts tag to digest before doing the verification, so i dont see really the benefit of doing the mutation in policy controller to modify IMAG:TAG -> IMAGE@sha256 as with this in podsepcs we loose the important TAG information, it would be nice if policy controller does not do this mutation and let cosign library does it. do we have an specific reason why we do this in policy controller before calling cosign verify