It's all handled as part of the manifests as well as we can have our clusters pulled if we are caught using non approved containers and they are all scanned when they are brought into the disconnected environment.
I work on Platform one and we use and deploy new versions of these containers weekly and have never had them break in that way. In the Beginning when I was on the Kubernetes team we struggled with the containers just not working at all but they have gotten better.
Now I work on deploying and we run every container from IB and have few issues. If you find them report the images and they will fix them pretty quick.
We do this right now in a totally disconnected env. We have process in place to get images and manifests into our env. All containers have to go through scanning pipelines and have to be approved through a process.
We also for any container that makes requests that does not have the mechanisms for adding certificates we have to rebuild the containers in the disconnected env to insert certificates to allow communication.