fix(k8s): document image digest pinning for production deployments

[dknos]

Summary

• Adds guidance for pinning container images by SHA256 digest in production K8s deployments
• Mutable tags like :latest, :24-dind, :22 can drift unexpectedly, creating supply chain risk

Test plan

• Verify K8s manifest still applies cleanly with kubectl apply --dry-run=client
• Review comments for accuracy

Fixes #1436

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Switched container images to immutable, digest-pinned references to improve deployment stability and security.
• Bug Fixes
  • Tightened the Discord preset network policy by removing DELETE access from the wildcard HTTP allowance, reducing risk of unintended deletions.

[coderabbitai]

Warning

Rate limit exceeded

@dknos has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 5 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 90d330d9-1d84-4485-ac2a-1a1e1cc43de9

📥 Commits

Reviewing files that changed from the base of the PR and between 33369d1 and 994e54d.

📒 Files selected for processing (2)

• k8s/nemoclaw-k8s.yaml
• nemoclaw-blueprint/policies/presets/discord.yaml

📝 Walkthrough

Walkthrough

Updated Kubernetes manifest to pin three container images by SHA256 digest and removed a DELETE allowance from a Discord network policy rule in a YAML preset.

Changes

Cohort / File(s)	Summary
K8s image pinning k8s/nemoclaw-k8s.yaml	Replaced mutable image tags (docker:24-dind, node:22, busybox) with digest-pinned references (@sha256:...) for dind, workspace, and init-docker-config. Pod spec fields otherwise unchanged.
Policy rule removal nemoclaw-blueprint/policies/presets/discord.yaml	Removed the network_policies.discord rule allowing DELETE requests to /**, leaving GET, POST, PUT, and PATCH methods allowed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 I nibbled through tags, found them loose and wild,
I tucked each image safe — digest-pinned and styled.
A rule trimmed gently, a DELETE gone away,
Now pods hop calmly and policies play. 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes an out-of-scope change: removal of DELETE method from discord.yaml network policy, which is unrelated to the image digest pinning objective in issue #1436.	Remove the discord.yaml policy change or address it in a separate PR, keeping this change focused solely on K8s image digest pinning as specified in issue #1436.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(k8s): document image digest pinning for production deployments' accurately describes the main change: updating K8s container image references to use SHA256 digest pinning instead of mutable tags.
Linked Issues check	✅ Passed	The PR successfully addresses issue #1436 by pinning all three container images (dind, workspace, init-docker-config) to SHA256 digests in k8s/nemoclaw-k8s.yaml, eliminating the mutable tag supply chain vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@k8s/nemoclaw-k8s.yaml`:
- Line 29: Replace the mutable image tags in the k8s/nemoclaw-k8s.yaml manifest
with immutable image digests: locate the image: fields currently set to
docker:24-dind and the other two mutable tags and change them to fully qualified
references using the tag plus `@sha256`:<digest> (e.g. name:tag@sha256:...) or
split dev/prod manifests and pin only the production overlay; ensure the three
occurrences (the image: entries referenced in the comment) are updated so
deployments use the pinned digests rather than mutable tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 38afd286-483f-4169-8c73-eb06f57d5362

📥 Commits

Reviewing files that changed from the base of the PR and between c99e3e8 and 60fb97f.

📒 Files selected for processing (2)

• k8s/nemoclaw-k8s.yaml
• nemoclaw-blueprint/policies/presets/huggingface.yaml

[dknos]

Updated — images are now pinned by SHA256 digest. Removed out-of-scope huggingface.yaml change.

[dknos]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[dknos]

Confirmed resolved: all three container image references in k8s/nemoclaw-k8s.yaml now use @sha256: digest pinning (docker:24-dind, node:22, busybox). Comments about digest pinning have been replaced with actual pinned image fields. CodeRabbit's latest re-review marked the file as trivially changed with no actionable comments.

[dknos]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.