kyverno: [Bug] [CLI] Lack of tag is not internally replaced with `latest`

Kyverno CLI Version

1.6.x

Description

In the webhook, when Kyverno sees an image with no tag it will internally assume a tag of latest. This is not happening in the CLI and negative tests cases which should fail because the image does not specify a tag are not.

Steps to reproduce

1. Apply this policy in the webhook and set to enforce.
2. Apply this Deployment and see it’s blocked.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: baddeployment01
  labels:
    app: busybox
  namespace: foo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
    spec:
      containers:
      - image: busybox
        name: busybox
        command: ["sleep", "9999"]

1. Write a test case for the CLI which should also fail and see it does not.

name: disallow_latest_tag
policies:
  - disallow_latest_tag.yaml
resources:
  - resource.yaml
results:
  - policy: disallow-latest-tag
    rule: validate-image-tag
    resource: baddeployment01
    kind: Deployment
    result: fail

│────│─────────────────────│────────────────────│─────────────────────────────────────│────────│
│ #  │ POLICY              │ RULE               │ RESOURCE                            │ RESULT │
│────│─────────────────────│────────────────────│─────────────────────────────────────│────────│
│ 10 │ disallow-latest-tag │ validate-image-tag │ default/Deployment/baddeployment01  │ Fail   │
│────│─────────────────────│────────────────────│─────────────────────────────────────│────────│

Expected behavior

The CLI performs the same internal mutations/assumptions as the webhook allowing the result to show as a pass.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

• I have read and followed the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.