Image pull policy of the container is not set to always
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: aa737abf-6b1d-4aba-95aa-5c160bd7f96e
Cloud Provider: Kubernetes
Platform: Terraform
Severity: Low
Category: Insecure Configurations
Learn More
Description
The container’s image_pull_policy must be defined and set to Always.
The container image must not use the :latest tag.
This rule checks container paths in kubernetes_pod (spec.container) and kubernetes_deployment (spec.template.spec.container) resources.
Compliant Code Examples
resource "kubernetes_pod" "busybox" {
metadata {
name = "busybox-tf"
}
spec {
container {
image = "busybox"
command = ["sleep", "3600"]
name = "busybox"
image_pull_policy = "Always"
}
restart_policy = "Always"
}
}
Non-Compliant Code Examples
resource "kubernetes_deployment" "example" {
metadata {
name = "terraform-example"
labels = {
test = "MyExampleApp"
}
}
spec {
replicas = 3
selector {
match_labels = {
test = "MyExampleApp"
}
}
template {
metadata {
labels = {
test = "MyExampleApp"
}
}
spec {
container {
image = "nginx:1.7.8"
name = "example"
image_pull_policy = "IfNotPresent"
resources {
limits = {
cpu = "0.5"
memory = "512Mi"
}
requests = {
cpu = "250m"
memory = "50Mi"
}
}
}
}
}
}
}
resource "kubernetes_pod" "busybox" {
metadata {
name = "busybox-tf"
}
spec {
container {
image = "busybox"
command = ["sleep", "3600"]
name = "busybox"
image_pull_policy = "IfNotPresent"
}
restart_policy = "Always"
}
}
