Always Pull Images

By default, images that have already been pulled can be accessed by other Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios, this may be undesirable. This policy mutates all incoming Pods to set their imagePullPolicy to Always. An alternative to the Kubernetes admission controller AlwaysPullImages.

Policy Definition

/other/always-pull-images/always-pull-images.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: always-pull-images
 5  annotations:
 6    policies.kyverno.io/title: Always Pull Images
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      By default, images that have already been pulled can be accessed by other
13      Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios,
14      this may be undesirable. This policy mutates all incoming Pods to set their
15      imagePullPolicy to Always. An alternative to the Kubernetes admission controller
16      AlwaysPullImages.
17spec:
18  rules:
19  - name: always-pull-images
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod
25    mutate:
26      patchStrategicMerge:
27        spec:
28          containers:
29          - (name): "?*"
30            imagePullPolicy: Always

Create policy issue