Setting Image Pull Policy to "Always"

Learn how to check containers for image pull policy settings.


Hello. My name is Grace Gude and I am an engineering manager at Fairwinds. Today, I'd like to discuss a Kubernetes best practice that we follow here at Fairwinds in regards to the image pull policy.

You can avoid problems with images by ensuring that the image pull policy is set to always. Relying on cached versions of a doc or image can introduce a security vulnerability, because Kubernetes will attempt to use the cached version of an image without verifying where it came from. If the kubelet has a container image with the exact digest cached locally, it uses its cached image. Otherwise, the kubelet downloads the image with the resolved digest, using that image to launch the container. It's important to note that setting the image pull policy to always does not bypass the local container caching mechanisms. It simply verifies that the cache matches the upstream source. This means there are almost no downsides to this configuration.

You can find more information about image pull policy being set to always within Insights under Action Items. You'll see you have several action items regarding the image pull policy. You can click on that action item. It'll show you where to find that particular issue, a brief description, including some links to documentation, as well as remediation. For image pull policy, we will set that in our pod spec like so. You can see that I have just added that within the pod spec here, and that will take care of that action item.