C-0075 - Image pull policy on latest tag

Image pull policy on latest tag

Framework

DevOpsBest

Description of the the issue

While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.

Related resources

CronJob, DaemonSet, Deployment, Job, Pods, ReplicaSet, StatefulSet

What does this control test

If imagePullPolicy = always pass, else fail.

Remediation

Set ImagePullPolicy to Always in all PODs found by this control.

Example

No example


Did this page help you?