Image pull policy of the container is not set to always

This product is not supported for your selected Datadog site. ().

Metadata

Id: aa737abf-6b1d-4aba-95aa-5c160bd7f96e

Cloud Provider: Kubernetes

Platform: Terraform

Severity: Low

Category: Insecure Configurations

Learn More

Description

The container’s image_pull_policy must be defined and set to Always. The container image must not use the :latest tag. This rule checks container paths in kubernetes_pod (spec.container) and kubernetes_deployment (spec.template.spec.container) resources.

Compliant Code Examples

resource "kubernetes_pod" "busybox" {
  metadata {
    name = "busybox-tf"
  }

  spec {
    container {
      image   = "busybox"
      command = ["sleep", "3600"]
      name    = "busybox"

      image_pull_policy = "Always"
    }

    restart_policy = "Always"
  }
}

Non-Compliant Code Examples


resource "kubernetes_deployment" "example" {
  metadata {
    name = "terraform-example"
    labels = {
      test = "MyExampleApp"
    }
  }

  spec {
    replicas = 3

    selector {
      match_labels = {
        test = "MyExampleApp"
      }
    }

    template {
      metadata {
        labels = {
          test = "MyExampleApp"
        }
      }

      spec {
        container {
          image             = "nginx:1.7.8"
          name              = "example"
          image_pull_policy = "IfNotPresent"

          resources {
            limits = {
              cpu    = "0.5"
              memory = "512Mi"
            }
            requests = {
              cpu    = "250m"
              memory = "50Mi"
            }
          }
        }
      }
    }
  }
}

resource "kubernetes_pod" "busybox" {
  metadata {
    name = "busybox-tf"
  }

  spec {
    container {
      image   = "busybox"
      command = ["sleep", "3600"]
      name    = "busybox"

      image_pull_policy = "IfNotPresent"
    }

    restart_policy = "Always"
  }
}