Always Pull Images

By default, images that have already been pulled can be accessed by other Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios, this may be undesirable. This policy mutates all incoming Pods to set their imagePullPolicy to Always. An alternative to the Kubernetes admission controller AlwaysPullImages.

Policy Definition

/other/always-pull-images.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: always-pull-images
 5  annotations:
 6    policies.kyverno.io/title: Always Pull Images
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      By default, images that have already been pulled can be accessed by other
12      Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios,
13      this may be undesirable. This policy mutates all incoming Pods to set their
14      imagePullPolicy to Always. An alternative to the Kubernetes admission controller
15      AlwaysPullImages.      
16spec:
17  background: false
18  rules:
19  - name: always-pull-images
20    match:
21      resources:
22        kinds:
23        - Pod
24    mutate:
25      patchStrategicMerge:
26        spec:
27          containers:
28          - (name): "?*"
29            imagePullPolicy: Always

Create policy issue