From 4e290e192dd07d780672ab7747c203ce52fc8251 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Wed, 22 Jul 2020 13:48:30 -0400 Subject: [PATCH] Update config.yaml (#378) * Update config.yaml * Update config-full.yaml * update docs --- docs/check-documentation/images.md | 2 +- examples/config-full.yaml | 2 +- examples/config.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/check-documentation/images.md b/docs/check-documentation/images.md index 54559429..fc253f53 100644 --- a/docs/check-documentation/images.md +++ b/docs/check-documentation/images.md @@ -11,7 +11,7 @@ key | default | description Docker's `latest` tag is applied by default to images where a tag hasn't been specified. Not specifying a specific version of an image can lead to a wide variety of problems. The underlying image could include unexpected breaking changes that break your application whenever the latest image is pulled. Reusing the same tag for multiple versions of an image can lead to different nodes in the same cluster having different versions of an image, even if the tag is identical. -Related to that, relying on cached versions of a Docker image can become a security vulnerability. By default, an image will be pulled if it isn't already cached on the node attempting to run it. This can result in variations in images that are running per node, or potentially provide a way to gain access to an image without having direct access to the ImagePullSecret. With that in mind, it's often better to ensure the a pod has `pullPolicy: Always` specified, so images are always pulled directly from their source. This is not a check enabled by default with Polaris as organizations may not wish to add the overhead involved with pulling images for each pod. +Related to that, relying on cached versions of a Docker image can become a security vulnerability. By default, an image will be pulled if it isn't already cached on the node attempting to run it. This can result in variations in images that are running per node, or potentially provide a way to gain access to an image without having direct access to the ImagePullSecret. With that in mind, it's often better to ensure the a pod has `pullPolicy: Always` specified, so images are always pulled directly from their source. ## Further Reading diff --git a/examples/config-full.yaml b/examples/config-full.yaml index ad3af46c..19d01d07 100644 --- a/examples/config-full.yaml +++ b/examples/config-full.yaml @@ -9,7 +9,7 @@ checks: memoryLimitsMissing: warning # images tagNotSpecified: danger - pullPolicyNotAlways: ignore + pullPolicyNotAlways: warning # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning diff --git a/examples/config.yaml b/examples/config.yaml index ec68b6b6..cd3b1dba 100644 --- a/examples/config.yaml +++ b/examples/config.yaml @@ -9,7 +9,7 @@ checks: memoryLimitsMissing: warning # images tagNotSpecified: danger - pullPolicyNotAlways: ignore + pullPolicyNotAlways: warning # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning