<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Govern Pulling Container Images with a Policy

Kubernetes Governance Policies
Govern Pulling Container Images with a Policy
Kubernetes Governance Policies

Overview

By default, Magalix KubeAdvisor ships with a governance policy that detects whether or not the imagePullPolicy key is set. We won’t tell you which value is best for your environment, but we recommend as a best practice to have it set to one of allowed values. If your teams or organization are opinionated on which policy should be set, then you can also create your own policies to govern your own house rules!

How Magalix Helps?

Issues Dashboard

To locate any violations concerning this policy, navigate to your cluster in the Magalix console and click Issues.Govern Pulling Container Images with a PolicyOn the top half of the page you’ll notice donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.

As you scroll down the page, locate the image_pull_enforce issue. In our example, you’ll see that 1 of 1 entities checked against this advisor are in violation.

Issues Page

After clicking on image_pull_enforce, you’ll notice another set of charts and graphs. These represent how many entities are out of compliance, along with a description of the Advisor.Govern Pulling Container Images with a PolicyTowards the bottom of the page, you will see all the violations.

After clicking on an entity, you can see the full breakdown of the violation and our recommendation on how to resolve the issue.

Recommendation PageGovern Pulling Container Images with a Policy

 

1. Image_pull_enforce

At the top of the page you will see which policy has been violated, along with the entity type.

2. Description

This gives you a brief overview of what the policy is about.

3. Evidence

As a part of the violation, Magalix KubeAdvisor displays in its entirety where the problem resides so you can investigate the problem. In our case, the storage-provisioner doesn’t have the imagePullPolicy in a location we are expecting.

4. Resolution

Based on this resolution, it looks like we need to add imagePullPolicy to the pod spec template.

5. History

At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.

Conclusion

Setting up an imagePullPolicy is a simple, yet effective way to ensure you are in control of your image pull behavior. Understanding the different options might be the difference between pulling a new version of your container with a static tag, or using an existing image already baked onto your node.

Whichever your situation may encompass, ensure the value you set matches your tagging strategy for predictable outcomes. You don’t want to be in a situation when it’s 2:42AM , and your on-call alerting system goes into a frenzy all because you didn’t set one line in your deployment manifest. That surely won’t be a comfortable post-mortem!

Finally, we recommend coupling this policy with our image_tag_enforce policy since the two are closely related. You can check out our other policies to see what out-of-the-box governance you can apply with Magalix KubeAdvisor.


Check your Cluster's Compliance with Magalix for FREE 

👇👇

Get Started


 

Comments and Responses

Related Articles

Labeling Your Nodes is a Wise Move!

These are the situations when node labels play a crucial role. They are important enough that Kuberenetes advises adding well-known labels to your nodes

Read more
Human Generated Errors Through Bad Configuration in Kubernete Writeup

Human error is the most often cited cause of data breaches and hacks, containers and Kubernetes have a lot of knobs and dials which gives room for increasing misconfiguration error.

Read more
Writing Policies for Pods, Network Objects, and OPA

Magalix simplifies the question about policy such as “Where do you install it?”, “How to run it?”, “Where to run it?” etc.

Read more

Start Your 30-day Free Trial Today!

Automate your Kubernetes cluster optimization in minutes.

Get started View Pricing
No Card Required