Always Pull Images

By default, images that have already been pulled can be accessed by other Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios, this may be undesirable. This policy mutates all incoming Pods to set their imagePullPolicy to Always. An alternative to the Kubernetes admission controller AlwaysPullImages.

Policy Definition

/other/always-pull-images/always-pull-images.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: always-pull-images
 5  annotations:
 6    policies.kyverno.io/title: Always Pull Images
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      By default, images that have already been pulled can be accessed by other
12      Pods without re-pulling them if the name and tag are known. In multi-tenant scenarios,
13      this may be undesirable. This policy mutates all incoming Pods to set their
14      imagePullPolicy to Always. An alternative to the Kubernetes admission controller
15      AlwaysPullImages.      
16spec:
17  rules:
18  - name: always-pull-images
19    match:
20      resources:
21        kinds:
22        - Pod
23    mutate:
24      patchStrategicMerge:
25        spec:
26          containers:
27          - (name): "?*"
28            imagePullPolicy: Always

Create policy issue