Skip to content

enable immutable tags on production artifact registries #8010

New issue
New issue
Open
Open
enable immutable tags on production artifact registries#8010
Labels
area/infra/gcpIssues or PRs related to Kubernetes GCP infrastructurearea/release-engIssues or PRs related to the Release Engineering subprojectpriority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/k8s-infraCategorizes an issue or PR as relevant to SIG K8s Infra.
Milestone
 
v1.34
@BenTheElder

Description

@BenTheElder
BenTheElder
opened on Apr 17, 2025

I don't think we've done this yet, we can gain a little more peace of mind if we know the promoter jobs don't have access to this, only the terraform automation (and ideally not even that, we should really only let a handful of infra leads and the CNCF have access to manipulate the GCP project hosting release images).

note: immutable tags are incompatible with cleanup policies, for this and other reasons we should only enable them for production registries and not staging

note: deleting untagged images is still permitted in this mode, so this mode is not a complete "append-only" option xref #8008

https://cloud.google.com/artifact-registry/docs/docker/names#versions

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/infra/gcpIssues or PRs related to Kubernetes GCP infrastructurearea/release-engIssues or PRs related to the Release Engineering subprojectpriority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.sig/k8s-infraCategorizes an issue or PR as relevant to SIG K8s Infra.

    Type

    No type

    Projects

    SIG K8S Infra

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions