dcesario This is the one we discussed, can you do a double-check of 2.1 and 2.2 templates & images to confirm it is really an issue.

I'm told that the templates we ship in 2.1 and 2.2, via use of Image Streams / ImageStreamLists, do not restrict sufficiently the versions of the Container Images of components that can be deployed.

e.g. a user who deployed AMP 2.1 using it's template, on a re-deploy could end up deploying an image that comes from AMP 2.2, via use of the "latest" version.

NOTE: Deprecating images in the registry marks them as deprecated (hence not maintained, and may have CVEs etc) and doesn't remove them, as that would break customer deployments.

"Latest" is intended to allow us to ship updated patch versions and have them used automatically instead of a previous patch version with a bug. e.g. 2.1.1 image is deployed instead of 2.1.0.

What we should ensure we do is that "latest" used in a 2.1.* template cannot deploy a 2.2.X image.