Weaveworks 2022.03 release featuring Magalix PaC | Learn more
Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
By default, Magalix KubeAdvisor ships with a governance policy that detects whether or not the imagePullPolicy key is set. We won’t tell you which value is best for your environment, but we recommend as a best practice to have it set to one of allowed values. If your teams or organization are opinionated on which policy should be set, then you can also create your own policies to govern your own house rules!
To locate any violations concerning this policy, navigate to your cluster in the Magalix console and click Issues.On the top half of the page you’ll notice donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.
As you scroll down the page, locate the image_pull_enforce
issue. In our example, you’ll see that 1 of 1 entities checked against this advisor are in violation.
After clicking on image_pull_enforce
, you’ll notice another set of charts and graphs. These represent how many entities are out of compliance, along with a description of the Advisor.Towards the bottom of the page, you will see all the violations.
After clicking on an entity, you can see the full breakdown of the violation and our recommendation on how to resolve the issue.
At the top of the page you will see which policy has been violated, along with the entity type.
This gives you a brief overview of what the policy is about.
As a part of the violation, Magalix KubeAdvisor displays in its entirety where the problem resides so you can investigate the problem. In our case, the storage-provisioner doesn’t have the imagePullPolicy
in a location we are expecting.
Based on this resolution, it looks like we need to add imagePullPolicy
to the pod spec template.
At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.
Setting up an imagePullPolicy
is a simple, yet effective way to ensure you are in control of your image pull behavior. Understanding the different options might be the difference between pulling a new version of your container with a static tag, or using an existing image already baked onto your node.
Whichever your situation may encompass, ensure the value you set matches your tagging strategy for predictable outcomes. You don’t want to be in a situation when it’s 2:42AM , and your on-call alerting system goes into a frenzy all because you didn’t set one line in your deployment manifest. That surely won’t be a comfortable post-mortem!
Finally, we recommend coupling this policy with our image_tag_enforce
policy since the two are closely related. You can check out our other policies to see what out-of-the-box governance you can apply with Magalix KubeAdvisor.
Check your Cluster's Compliance with Magalix for FREE
👇👇
Empower developers to delivery secure and compliant software with trusted application delivery and policy as code. Learn more.
Automate your deployments with continuous application delivery and GitOps. Read this blog to learn more.
This article explains the differences between hybrid and multi-cloud model and how GitOps is an effective way of managing these approaches. Learn more.
Implement the proper governance and operational excellence in your Kubernetes clusters.
Comments and Responses