Log SHA of image being pulled/used by Kubernetes executor in job output
Description
When a job is run using the Docker executor, it will include a line like this:
Using docker image sha256:39b93e0c83c6afa6b5803a2b651629ea73bf2d3136ac8c6a22415034d2cb7e26 for ruby:latest with digest ruby@sha256:e75f1da5372940f6997c94c9c48db8e4292fb625ca49035fa53e7e5b9124d6fb ...This is coming from the PullManager of the Docker executor: https://gitlab.com/gitlab-org/gitlab-runner/-/blob/14-10-stable/executors/docker/internal/pull/manager.go#L117
With the Kubernetes executor, there is no information about the SHA being used. The output in that case only includes the image:tag, but not the explicit SHA this resolves to at execution time.
Using Kubernetes executor with image registry.gitlab.com/security-products/container-scanning:4 ...This line is also present for the Docker executor:
Using Docker executor with image ruby:latest ...Proposal
I suggest adding a line similar to the one in the Docker executor to provide an easy way of knowing what image exactly was used for any specific job.
Looking at the PullManager for the Kubernetes executor, it seems that the information might be as readily available here. image is *types.ImageInspect for the Docker executor, but string for Kubernetes. Looks like there imagePullErr.Image is used mainly? (Both Go and Kubernetes are not my forte, so might all be irrelevant.)
Links to related issues and merge requests / references
I'm currently handling image:tag combination within minutes. I'm fairly certain we're looking at some kind of caching issue, but it's hard to debug/prove because we have no way of telling to which SHA the tag is being resolved at runtime.