There has been a discussion at our shop about whether the folks responsible for maintaining our docker hosts and deploying containers should accept images directly from the development team.

One camp says that the development team should provide the application binaries and configuration, and the deployment/docker team should build the images starting from approved base images. The argument is that this prevents developers from including unapproved utilites/tools in their images (regulated industry here…)

The other camp says that the deployer should visualize the container as an application itself, and prevent disallowed behavior by permissioning the container, not attempting to control the contents of the container at all. In this case, the developers would provide a built image as an application, and the deployers would assign resources and permissions as they see fit/negotiate with the devs.

Any real-world insights?