Enforce Image Pull Policy Always 1.1.2

Ensures that images are always pulled from the registry even if they are already present on the node.

Rationale

The following quote describes the effect of setting imagePullPolicy: Always in detail:

Every time the kubelet launches a container, the kubelet queries the container image registry to resolve the name to an image digest. If the kubelet has a container image with that exact digest cached locally, the kubelet uses its cached image; otherwise, the kubelet downloads (pulls) the image with the resolved digest, and uses that image to launch the container.

Source: Kubernetes Configuration Best Practices

  • Images
  • Security

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80
+         imagePullPolicy: Always

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforceimagepullpolicyalways as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforceimagepullpolicyalways: |-
      These containers can safely run with pre-pulled images.
...