<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

New! Magalix brings you the SaC (Security-as-Code) podcast. Listen now!

Exit icon Listen Now

Govern Pulling Container Images with a Policy

Kubernetes Governance Policies
Govern Pulling Container Images with a Policy
Kubernetes Governance Policies

Overview

By default, Magalix KubeAdvisor ships with a governance policy that detects whether or not the imagePullPolicy key is set. We won’t tell you which value is best for your environment, but we recommend as a best practice to have it set to one of allowed values. If your teams or organization are opinionated on which policy should be set, then you can also create your own policies to govern your own house rules!

How Magalix Helps?

Issues Dashboard

To locate any violations concerning this policy, navigate to your cluster in the Magalix console and click Issues.Govern Pulling Container Images with a PolicyOn the top half of the page you’ll notice donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

As you scroll down the page, locate the image_pull_enforce issue. In our example, you’ll see that 1 of 1 entities checked against this advisor are in violation.

Issues Page

After clicking on image_pull_enforce, you’ll notice another set of charts and graphs. These represent how many entities are out of compliance, along with a description of the Advisor.Govern Pulling Container Images with a PolicyTowards the bottom of the page, you will see all the violations.

After clicking on an entity, you can see the full breakdown of the violation and our recommendation on how to resolve the issue.

Recommendation PageGovern Pulling Container Images with a Policy

 

1. Image_pull_enforce

At the top of the page you will see which policy has been violated, along with the entity type.

2. Description

This gives you a brief overview of what the policy is about.

3. Evidence

As a part of the violation, Magalix KubeAdvisor displays in its entirety where the problem resides so you can investigate the problem. In our case, the storage-provisioner doesn’t have the imagePullPolicy in a location we are expecting.

4. Resolution

Based on this resolution, it looks like we need to add imagePullPolicy to the pod spec template.

5. History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

Setting up an imagePullPolicy is a simple, yet effective way to ensure you are in control of your image pull behavior. Understanding the different options might be the difference between pulling a new version of your container with a static tag, or using an existing image already baked onto your node.

Whichever your situation may encompass, ensure the value you set matches your tagging strategy for predictable outcomes. You don’t want to be in a situation when it’s 2:42AM , and your on-call alerting system goes into a frenzy all because you didn’t set one line in your deployment manifest. That surely won’t be a comfortable post-mortem!

Finally, we recommend coupling this policy with our image_tag_enforce policy since the two are closely related. You can check out our other policies to see what out-of-the-box governance you can apply with Magalix KubeAdvisor.


Check your Cluster's Compliance with Magalix for FREE 

👇👇

Get Started


 

Comments and Responses

Related Articles

The Shared Security Model - Dividing Responsibilities

Understanding the Shared Cloud Security Model and causes behind common data breaches.

Read more
How to Prevent Non-Secure Container Images from Being Deployed with Policy-As-Code

Security is critical to business continuity. As such, DevOps teams must prevent non-secure container images from being deployed. But how do you do it?

Read more
Using Affinity with nodeSelector and Policy-As-Code, and Exclusions

In a Kubernetes cluster, you have to leverage policy-as-code to enforce Node Affinity using nodeSelector. But how do you do go about it? Learn more.

Read more