Getting started with Kubernetes can seem a bit overwhelming because, while it offers a great deal of flexibility and scalability, those benefits come with complexity. Getting started with some basic Kubernetes tutorials can help ensure that you don’t make some of the most common mistakes. One of the Kubernetes best practices that we follow at Fairwinds is setting the imagePullPolicy to “Always.”
It may seem faster and easier to use cached versions of your images. Not checking for an updated version saves time, and you may think that there is no risk sticking with what worked before. After all, how often could images need to be updated? More often than you might think. Vulnerabilities are introduced, discovered, and disclosed every day. And the cached version of the image you are using might be days, weeks, or even months out of date.
When you rely on cached versions of a doc or image, those older versions can introduce security vulnerabilities into your environment, because Kubernetes will automatically try to use the cached version of an image without verifying where it came from or whether it needs to be updated. The vulnerabilities may come from insecure libraries or other dependencies that have been imported into a container image. Those vulnerabilities can then pose a risk to the rest of your environment.
Kubelet is a process that runs on every node of a Kubernetes cluster. It creates, destroys, and updates pods and their containers on a node when instructed. The kubelet manages containers that were created by Kubernetes and follows a set of PodSpecs, which are a YAML or JSON object that describe a pod. Basically, the kubelet makes sure that the containers described in the PodSpecs are running and healthy. When kubelet needs to create a new container, it references the PodSpec to determine how to do that.
Kubernetes has three imagePullPolicy options:
When imagePullPolicy is set to Always, Kubernetes always pulls the image from the repository
When imagePullPolicy is set to IfNotPresent, Kubernetes only pulls the image if it does not already exist on the node, but it will run any image you place on the node
When imagePullPolicy is set to Never, Kubernetes does not pull the image; however, if the image is present locally, kubelet will try to start the container
The policy options are all efficient ways for Kubernetes to determine whether you want to pull a policy. If you have the imagePullPolicy set to “Always” and the kubelet has a container image with an identical digest cached locally, it uses the cached image to create a new container. Otherwise, the kubelet downloads the image with the resolved digest, using that image to launch the container. Please note that setting the imagePullPolicy to “Always” doesn’t bypass the local container caching mechanisms. It simply verifies that the image in the cache matches the upstream source. This means there are almost no downsides to this configuration.
If you are trying to figure out what containers are running in your cluster and what versions of each container are running, Nova is an open source tool that will show you the current installed version, whether it is old, the latest major version, the latest minor version, and the latest patch version.
You may be wondering how to even tell what your imagePullPolicy settings are.
To check the imagePullPolicy settings for a container, you can use the Docker command line; run the command `docker inspect [container-name]`, which shows you the container configuration
In the configuration, you can see the "ImagePullPolicy" setting, which shows you the policy for the container
If you want to change the image pull policy for a container, you can use the `docker run` command, which allows you to set a specific policy when starting the container
If you don’t want to check each container’s imagePullPolicy settings, you can use Kubernetes governance software like Fairwinds Insights to automatically check the policy for you. Since it is a Kubernetes best practice, it’s already built into Insights to make it easy for you to review. Fairwinds Insights triggers a warning when this tag isn’t specified or if it isn’t set to “Always” so you can easily fix the manifest. You can find additional information about imagePullPolicy being set to always within Insights under Action Items.
If you’ve read this and see the technical value of being able to check imagePullPolicy across multiple clusters and teams, consider the business benefits as well. Teams need to ensure security. Ensuring you are using images without vulnerabilities, helps to protect against insecure and unreliable applications.
Walk through a quick tutorial on how to set imagePullPolicy to “Always” using Fairwinds Insights.
