C-0064 - Image pull policy on latest image tag
Image pull policy on latest image tag
Framework
ArmoBest
Description of the the issue
Check all images with latest tag (or no tag at all) that have the 'imagePullPolicy' field set to 'Never' or 'IfNotPresent'. If exist, Kubernetes may run older version of the container images (if they happen to be cached on a node) without user knowing about this.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check all images that have latest tag or have no tag, and have the 'imagePullPolicy' field set to 'Never' or 'IfNotPresent'.
Remediation
Use 'imagePullPolicy' field set to 'Always'. It will not pull images if they have the same digest as the cached one.
Example
apiVersion: v1
kind: Pod
metadata:
name: private-image-test-1
spec:
containers:
- name: uses-private-image)
image: gcr.io/google-samples/microservices-demo/loadgenerator:latest # we look at the image tag (afer the ":")
imagePullPolicy: Always # we look at this field
command: [ "echo", "SUCCESS" ]
Updated 6 months ago
Did this page help you?