Image pull policy of the container is not set to always

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Image pull policy of the container is not set to always

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: caa3479d-885d-4882-9aac-95e5e78ef5c2

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

The container imagePullPolicy must be set to Always. This requirement applies when the image is referenced with an explicit tag (contains ‘:’) and is not referenced by digest (@...) or by the :latest tag. Setting imagePullPolicy to Always ensures the image is pulled on every start and prevents relying on mutable images cached locally.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: private-image-test-1
spec:
  containers:
    - name: uses-private-image
      image: $PRIVATE_IMAGE_NAME
      imagePullPolicy: Always
      command: [ "echo", "SUCCESS" ]

Non-Compliant Code Examples

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-with-image-pull-policy
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: library/nginx:1.20.0
          imagePullPolicy: IfNotPresent

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-with-image-pull-policy1
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: library/nginx:1.20.0

apiVersion: v1
kind: Pod
metadata:
  name: private-image-test-always
spec:
  containers:
    - name: uses-private-image
      image: $PRIVATE_IMAGE_NAME:1.2
      imagePullPolicy: Never
      command: [ "echo", "SUCCESS" ]