C-0064 - Image pull policy on latest image tag

Image pull policy on latest image tag

Framework

ArmoBest

Description of the the issue

Check all images with latest tag (or no tag at all) that have the 'imagePullPolicy' field set to 'Never' or 'IfNotPresent'. If exist, Kubernetes may run older version of the container images (if they happen to be cached on a node) without user knowing about this.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check all images that have latest tag or have no tag, and have the 'imagePullPolicy' field set to 'Never' or 'IfNotPresent'.

Remediation

Use 'imagePullPolicy' field set to 'Always'. It will not pull images if they have the same digest as the cached one.

Example

apiVersion: v1
kind: Pod
metadata:
  name: private-image-test-1
spec:
  containers:
    - name: uses-private-image)
      image: gcr.io/google-samples/microservices-demo/loadgenerator:latest # we look at the image tag (afer the ":")
      imagePullPolicy: Always   # we look at this field
      command: [ "echo", "SUCCESS" ]

Did this page help you?