<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Govern Pulling Container Images with a Policy

Kubernetes Governance Policies
Govern Pulling Container Images with a Policy
Kubernetes Governance Policies


By default, Magalix KubeAdvisor ships with a governance policy that detects whether or not the imagePullPolicy key is set. We won’t tell you which value is best for your environment, but we recommend as a best practice to have it set to one of allowed values. If your teams or organization are opinionated on which policy should be set, then you can also create your own policies to govern your own house rules!

How Magalix Helps?

Issues Dashboard

To locate any violations concerning this policy, navigate to your cluster in the Magalix console and click Issues.Govern Pulling Container Images with a PolicyOn the top half of the page you’ll notice donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

As you scroll down the page, locate the image_pull_enforce issue. In our example, you’ll see that 1 of 1 entities checked against this advisor are in violation.

Issues Page

After clicking on image_pull_enforce, you’ll notice another set of charts and graphs. These represent how many entities are out of compliance, along with a description of the Advisor.Govern Pulling Container Images with a PolicyTowards the bottom of the page, you will see all the violations.

After clicking on an entity, you can see the full breakdown of the violation and our recommendation on how to resolve the issue.

Recommendation PageGovern Pulling Container Images with a Policy


1. Image_pull_enforce

At the top of the page you will see which policy has been violated, along with the entity type.

2. Description

This gives you a brief overview of what the policy is about.

3. Evidence

As a part of the violation, Magalix KubeAdvisor displays in its entirety where the problem resides so you can investigate the problem. In our case, the storage-provisioner doesn’t have the imagePullPolicy in a location we are expecting.

4. Resolution

Based on this resolution, it looks like we need to add imagePullPolicy to the pod spec template.

5. History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.


Setting up an imagePullPolicy is a simple, yet effective way to ensure you are in control of your image pull behavior. Understanding the different options might be the difference between pulling a new version of your container with a static tag, or using an existing image already baked onto your node.

Whichever your situation may encompass, ensure the value you set matches your tagging strategy for predictable outcomes. You don’t want to be in a situation when it’s 2:42AM , and your on-call alerting system goes into a frenzy all because you didn’t set one line in your deployment manifest. That surely won’t be a comfortable post-mortem!

Finally, we recommend coupling this policy with our image_tag_enforce policy since the two are closely related. You can check out our other policies to see what out-of-the-box governance you can apply with Magalix KubeAdvisor.

Check your Cluster's Compliance with Magalix for FREE 


Get Started


Comments and Responses

Related Articles

The Rise of SecDevOps: Embedding Security into DevOps Workflows

learn more about the shifting left paradigm and the rise of SecDevOps. By shifting left, companies can bake security practices into DevOps workflows.

Read more
3 Simple Steps to Get Started with Security and Compliance  in FinTech

You can Run an Efficient, Reliable, and Secure Cloud-Native Stack & Compliance with Robust Governance Protocols.

Read more
Shift Left to Ensure Robust Kubernetes Security

Kubernetes is great to accelerate time to market, but security is complicated. Find out why it’s critical to shift left to ensure Kubernetes security.

Read more

Start Your 30-day Free Trial Today!

Automate your Kubernetes cluster optimization in minutes.

Get Started View Pricing
No Card Required