Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
By default, Magalix KubeAdvisor ships with a governance policy that detects whether or not the imagePullPolicy key is set. We won’t tell you which value is best for your environment, but we recommend as a best practice to have it set to one of allowed values. If your teams or organization are opinionated on which policy should be set, then you can also create your own policies to govern your own house rules!
To locate any violations concerning this policy, navigate to your cluster in the Magalix console and click Issues.On the top half of the page you’ll notice donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.
As you scroll down the page, locate the
image_pull_enforce issue. In our example, you’ll see that 1 of 1 entities checked against this advisor are in violation.
After clicking on
image_pull_enforce, you’ll notice another set of charts and graphs. These represent how many entities are out of compliance, along with a description of the Advisor.Towards the bottom of the page, you will see all the violations.
After clicking on an entity, you can see the full breakdown of the violation and our recommendation on how to resolve the issue.
At the top of the page you will see which policy has been violated, along with the entity type.
This gives you a brief overview of what the policy is about.
As a part of the violation, Magalix KubeAdvisor displays in its entirety where the problem resides so you can investigate the problem. In our case, the storage-provisioner doesn’t have the
imagePullPolicy in a location we are expecting.
Based on this resolution, it looks like we need to add
imagePullPolicy to the pod spec template.
At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.
Setting up an
imagePullPolicy is a simple, yet effective way to ensure you are in control of your image pull behavior. Understanding the different options might be the difference between pulling a new version of your container with a static tag, or using an existing image already baked onto your node.
Whichever your situation may encompass, ensure the value you set matches your tagging strategy for predictable outcomes. You don’t want to be in a situation when it’s 2:42AM , and your on-call alerting system goes into a frenzy all because you didn’t set one line in your deployment manifest. That surely won’t be a comfortable post-mortem!
Finally, we recommend coupling this policy with our
image_tag_enforce policy since the two are closely related. You can check out our other policies to see what out-of-the-box governance you can apply with Magalix KubeAdvisor.
Check your Cluster's Compliance with Magalix for FREE
Know more about the 4 main types of “leaks” that commonly occur with cloud asset management, and some useful strategies to address them.
With the NIST cybersecurity framework implemented using policy-as-code, companies can strengthen their security processes. Learn more.
A step-by-step guide on how to check for image vulnerabilities using Trivy and policy-as-code.