Image Pull Policy Of The Container Is Not Set To Always

• Query id: caa3479d-885d-4882-9aac-95e5e78ef5c2
• Query name: Image Pull Policy Of The Container Is Not Set To Always
• Platform: Kubernetes
• Severity: Low
• Category: Insecure Configurations
• URL: Github

Description

Image Pull Policy of the container must be defined and set to Always
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: private-image-test-always
spec:
  containers:
    - name: uses-private-image
      image: $PRIVATE_IMAGE_NAME:1.2
      imagePullPolicy: Never
      command: [ "echo", "SUCCESS" ]

Positive test num. 2 - yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-with-image-pull-policy
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: library/nginx:1.20.0
          imagePullPolicy: IfNotPresent

Positive test num. 3 - yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-with-image-pull-policy1
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: library/nginx:1.20.0

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: private-image-test-1
spec:
  containers:
    - name: uses-private-image
      image: $PRIVATE_IMAGE_NAME
      imagePullPolicy: Always
      command: [ "echo", "SUCCESS" ]