Why You Shouldn’t Use :latest Tag

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

👋 Before we begin... a big thank you to today's sponsor PERFECTSCALE

Want to stop wasting resources in EKS?

Many teams adopt Karpenter expecting better scaling and lower costs—yet still struggle with underutilized nodes, misaligned pod requests, and surprise cloud bills.

Join us on April 15 for a live workshop on optimizing your Amazon EKS clusters with Karpenter, led by cloud-native experts.

You will learn: 

 → Pod right-sizing best practices
→ How to dynamically autoscale compute with Karpenter
→ Ways to reduce wasted capacity + EKS costs
→ Hands-on demos and tactical advice from the field

PS!  Walk away with a game plan to streamline your EKS workloads.

IN TODAY'S EDITION

🧠 Use Case

• Why You Shouldn’t Use :latest Tag

🚀 Top News

• Server Name Indication (SNI) Now Mandatory for Azure DevOps Services

👀 Remote Jobs

• Supabase is hiring a Site Reliability Engineer

  Remote Location: Worldwide

• Consensys is hiring a Senior DevOps Engineer - Tech Operations

  Remote Location: Worldwide

📚️ Resources

• Working with GKE Clusters: A Practical Guide

• How to Connect to Your Home Network Without a VPN Using HashiCorp Boundary

• Slides and code samples for training, tutorials, and workshops about Docker, containers, and Kubernetes

📢 Reddit Threads

• Am I the Only DevOps who doesn't know how to program?

• Master Resource Guide for AWS Certifications – Your One Stop Prep Hub

You’ve heard the hype. It’s time for results.

After two years of siloed experiments, proofs of concept that fail to scale, and disappointing ROI, most enterprises are stuck. AI isn't transforming their organizations — it’s adding complexity, friction, and frustration.

But Writer customers are seeing positive impact across their companies. Our end-to-end approach is delivering adoption and ROI at scale. Now, we’re applying that same platform and technology to build agentic AI that actually works for every enterprise.

This isn’t just another hype train that overpromises and underdelivers.
It’s the AI you’ve been waiting for — and it’s going to change the way enterprises operate. Be among the first to see end-to-end agentic AI in action. Join us for a live product release on April 10 at 2pm ET (11am PT).

Can't make it live? No worries — register anyway and we'll send you the recording!

Save your spot — register today

🛠️ TOOL OF THE DAY

cyclops - A tool to create custom Kubernetes UIs for developers using Helm charts, no coding required.

🧠 USE CASE

Why You Shouldn’t Use :latest Tag

You’ve likely seen it or even used it ‘image: yourapp:latest’

It’s everywhere. Dockerfiles. Helm charts. Terraform modules. CI/CD pipelines default to it. Kubernetes accepts it without a fuss.

But here’s the catch : latest doesn’t mean newest.

It means whatever image someone last tagged as :latest, which could be something built five minutes ago, five months ago, or by mistake.

Real World Failures Caused by :latest

Let’s talk about what actually breaks when :latest sneaks into your environment:

1. Kubernetes Deployment Drift

Let’s say a team shipped a Helm release with ‘image: backend:latest’

It worked in staging. But in production, a different developer had pushed their own local :latest. Same tag, different code.

Pods pulled the wrong image. The app broke silently.

2. CI/CD Instability

A GitHub Actions pipeline built and pushed :latest.

Another pipeline, triggered hours later, ran integration tests using the same :latest, expecting the original build.

But a new commit had already overwritten it. Tests failed. Everyone thought the code was broken, when in reality, the image had changed mid run.

3. Terraform’s Dirty State

An AWS ECS deployment managed via Terraform had a task definition pointing to :latest.

After a redeploy, ECS fetched a different image from what was previously running, even though no infrastructure change was made. Terraform applied cleanly. The app didn’t. Likewise, I can go on and on and on…

Let’s Look at What’s Really Going On

Here’s how image tagging behaves behind the scenes:

The key point: ‘latest’ doesn’t track anything automatically.

Instead, Try this:

1. Use semantic versions or commit SHAs

docker build -t techopsapp:1.3.7 -t techopsapp:commit-b6fa2e1 .

2. Pin digests in deployment manifests

image: techopsapp@sha256:abcdef123...

This guarantees exact image reproducibility across clusters and pipelines.

3. Automate moving tags like :staging, :prod

 Only your CI/CD pipeline should assign these. Never push them manually.

4. Enforce policies

• Use conftest, kube-linter, or OPA to flag use of :latest

• Set CI checks to reject PRs or pushes that reference :latest

Skip :latest. You’ll sleep better.

We are bringing a live workshop demonstration by Lukas Stiebellehner (Senior Cloud Architect III – AWS Practice Lead, DoIT) to help you get better at handling Karpenter to optimize Amazon EKS clusters

If you’re interested in starting a newsletter like this, try out beehiiv (it’s what I use).

You get a 30 day free trial + 20% OFF for 3 months when you sign up using the link below.

Looking to promote your company, product, service, or event to 43,000+ Cloud Native Professionals? Let's work together.

Partner Disclosure: Please note that some of the links in this post are affiliate links, which means if you click on them and make a purchase, I may receive a small commission at no extra cost to you. This helps support my work and allows me to continue to provide valuable content. I only recommend products that I use and love. Thank you for your support!