{"id":265800,"date":"2021-06-03T19:00:32","date_gmt":"2021-06-03T16:00:32","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/"},"modified":"2021-06-03T19:00:32","modified_gmt":"2021-06-03T16:00:32","slug":"understanding-kubernetes-image-pull-policies-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/","title":{"rendered":"#Understanding Kubernetes Image Pull Policies \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2b08e46714d\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2b08e46714d\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/#The_Default_Behaviour\" >The Default Behaviour<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/#Making_Kubelet_Always_Pull\" >Making Kubelet Always Pull<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/#Banning_Automatic_Pulls\" >Banning Automatic Pulls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/#Pull_Policies_and_Caching\" >Pull Policies and Caching<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/understanding-kubernetes-image-pull-policies-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Understanding Kubernetes Image Pull Policies \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-9632\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/02\/748108a6.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Graphic showing the Kubernetes logo\" width=\"1602\" height=\"902\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Kubernetes image pull policies control when Kubelet should fetch an updated image version. Pull policies are used when a new Pod is starting up. Kubelet will take the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ropriate action indicated by the Pod\u2019s policy.<\/p>\n<h2 id=\"the-default-behaviour\"><span class=\"ez-toc-section\" id=\"The_Default_Behaviour\"><\/span>The Default Behaviour<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You don\u2019t have to specify an image pull policy. When a Pod lacks a policy, Kubernetes will infer your intentions from the image\u2019s tag. If you\u2019ve supplied a specific tag (such as <code>my-image:my-release<\/code>), the image will only be pulled if the tag doesn\u2019t already exist on the Kubelet node. This policy is called <code>IfNotPresent<\/code>.<\/p>\n<p>When no tag is specified, or you\u2019re using the <code>latest<\/code> tag, the image will <em>always<\/em> be pulled. Kubernetes will fetch the image\u2019s manifest every time a new Pod starts. If the manifest indicates a change, the updated image will be pulled before the containers are created.<\/p>\n<p>Kubernetes will never modify <code>imagePullPolicy<\/code> as a consequence of another action. Editing a Pod\u2019s <code>image<\/code> will <em>not<\/em> trigger Kubernetes to re-evaluate the default pull policy. That means that if you start with <code>my-image:latest<\/code> but later update the Pod to <code>my-image:my-release<\/code>, the image pull policy will still be <code>IfNotPresent<\/code>. You should manually specify a new policy if one is desired.<\/p>\n<h2 id=\"making-kubelet-always-pull\"><span class=\"ez-toc-section\" id=\"Making_Kubelet_Always_Pull\"><\/span>Making Kubelet Always Pull<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You\u2019ll need to apply an image pull policy to force Kubelet to always attempt a pull. Set <code>imagePullPolicy: Always<\/code> on a Pod to enable this behaviour.<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><span class=\"co4\">spec<\/span>:<span class=\"co4\">\n  containers<\/span>:<span class=\"co3\">\n      - name<\/span><span class=\"sy2\">: <\/span>my-container<span class=\"co3\">\n        image<\/span><span class=\"sy2\">: <\/span>my-image:my-release<span class=\"co3\">\n        imagePullPolicy<\/span><span class=\"sy2\">: <\/span>Always<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>New image versions will be pulled whenever a Pod starts and the image\u2019s manifest digest has changed. A locally cached version of the image will still be reused if the digest hasn\u2019t changed. This avoids unnecessary downloads over the network. Docker <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.docker.com\/engine\/reference\/commandline\/images\">digests are immutable references<\/a> that uniquely identify images without a name or tag.<\/p>\n<p>Forced pulls are useful when you want to distribute new versions of your image using the same tag. This might be the case when you tag images using the branch name they\u2019ve been built from. Without the <code>Always<\/code> policy, Kubernetes would never pull your new image releases if the tag was already available locally.<\/p>\n<h2 id=\"banning-automatic-pulls\"><span class=\"ez-toc-section\" id=\"Banning_Automatic_Pulls\"><\/span>Banning Automatic Pulls<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>All the policies which permit image pulls will fetch new versions of your locally cached tags. Use an image digest as your Pod\u2019s <code>image<\/code> field if you want a container to stick with an exact image version each time it starts.<\/p>\n<p>There are scenarios where you might not want to Kubernetes to pull images at all. Setting the <code>Never<\/code> policy will prevent Kubelet\u2019s automatic pulls. This policy won\u2019t check for updates at all \u2013 the registry\u2019s manifest version will not be fetched.<\/p>\n<p>You\u2019ll need an alternative way of getting images to your nodes if you use <code>Never<\/code>. Each image will need to exist locally before you try to start your Pods. Otherwise, Kubernetes won\u2019t be able to run the Pod\u2019s containers.<\/p>\n<p>This acts as a protection mechanism when you\u2019re using a standalone image pull mechanism. You won\u2019t want Kubernetes to inadvertently attempt an automatic fetch in the event a pull fails. It could lead to the loss of images that are already locally cached.<\/p>\n<h2 id=\"pull-policies-and-caching\"><span class=\"ez-toc-section\" id=\"Pull_Policies_and_Caching\"><\/span>Pull Policies and Caching<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Your selected pull policy <a>shouldn\u2019t significantly impact<\/a> performance. As long as your image provider supports layer caching, Kubelet will only need to pull the genuinely new layers in each image.<\/p>\n<p>The <code>Always<\/code> policy does add a network call each time you start a new Pod. It only needs to check the image digest so this should be practically instantaneous. If the digest doesn\u2019t match the locally cached version, then the new image layers will be pulled from the registry. The most significant performance overhead is the actual network transfer of those layers, followed by their subsequent decompression.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubernetes supports several behaviour models for image pulls. Images are handled by Kubelet and will be fetched whenever a Pod starts. The default policy will pull the image if the tag doesn\u2019t already exist locally. If the image is untagged, or has <code>latest<\/code> as its tag, the <code>Always<\/code> policy will be used instead.<\/p>\n<p>Setting the <code>imagePullPolicy<\/code> in your Pod specs makes the selected policy explicit. This helps all contributors to understand the chosen behaviour, even if they\u2019re unfamiliar with the Kubernetes defaults. It\u2019s particularly important if you\u2019re using <code>latest<\/code> or untagged images, where Kubernetes applies special handling that could be confusing.<\/p>\n<p>Remember that image pull policies are always set per-Pod by default. If you want to use one policy for your entire cluster, you\u2019ll need to use a configuration validation tool to scan your Pod manifests. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/zegl\/kube-score\">kube-score<\/a> is a static analysis tool for Kubernetes object manifests that includes an <code>imagePullPolicy<\/code> check in its default ruleset. Run <code>kube-score score my-manifest.yaml<\/code> as part of a CI pipeline to prevent the use of manifests that lack a defined policy.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/11463\/understanding-kubernetes-image-pull-policies\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Understanding Kubernetes Image Pull Policies \u2013 CloudSavvy IT&#8221; Kubernetes image pull policies control when Kubelet should fetch an updated image version. Pull policies are used when a new Pod is starting up. Kubelet will take the appropriate action indicated by the Pod\u2019s policy. The Default Behaviour You don\u2019t have to specify an image pull policy&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":265801,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/02\/748108a6.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-265800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/265800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=265800"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/265800\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/265801"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=265800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=265800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=265800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}