Kubernetes image retrieval policy determines when Kubelet should fetch an updated image version. Pull policy is used when a new Pod is started. Kubelet will take appropriate action as directed in the Pod’s policies.
The default behavior
You do not need to specify an image retrieval policy. When a pod has no policy, Kubernetes infers your intentions from the image tag. If you specified a specific tag (such as
my-image:my-release), the image is only fetched if the tag does not already exist on the Kubelet node. This policy is called
When no tag is specified, or you are using the
latest tag, the image will always be drawn. Kubernetes retrieves the manifest of the image every time a new pod is started. If the manifest indicates a change, the updated image is retrieved before the containers are created.
Kubernetes will never change
imagePullPolicy as a result of another action. Editing a Pod
image shall not trigger Kubernetes to reevaluate the default pull policy. That means if you start with
my-image:latest but later update the Pod to
my-image:my-release, the image pull policy remains:
IfNotPresent. If desired, you must manually specify a new policy.
Always let Kubelet pull
You must apply an image pull policy to force Kubelet to always try a pull. Set up
imagePullPolicy: Always on a pod to enable this behavior.
spec: containers: - name: my-container image: my-image:my-release imagePullPolicy: Always
New image versions are fetched when a pod is launched and the manifest digest of the image has changed. A locally cached version of the image will still be reused if the digest has not been changed. This prevents unnecessary downloads over the network. Docker digests are immutable references that uniquely identify images without a name or tag.
Forced pulls are useful when you want to distribute new versions of your image with the same tag. This can be the case if you tag images with the branch name from which they are built. Without the
Always policy, Kubernetes would never fetch your new image releases if the tag was already available locally.
Ban automatic pulling trekken
All policies that allow image retrieval will fetch new versions of your locally cached tags. Use an image overview as your Pods
image field if you want a container to have an exact image version every time it starts.
There are scenarios where you might not want Kubernetes to fetch images at all. the . Set up
Never policy will prevent Kubelet’s automatic pulls. This policy does not check for updates at all – the registry manifest version is not retrieved.
You need an alternate way to get images to your nodes if you
Never. Each image must exist locally before attempting to launch your pods. Otherwise, Kubernetes will not be able to run the Pod’s containers.
This acts as a protection mechanism when using a self-contained image pulling mechanism. You don’t want Kubernetes to accidentally try to perform an automatic fetch in case a pull fails. This can lead to the loss of images that are already cached locally.
Pull policy and caching
Always policy does add a network call every time you start a new Pod. It only needs to check the image summary, so this should be practically instantaneous. If the digest does not match the locally cached version, the new image layers are unregistered. The main performance overhead is the actual network transfer of those layers, followed by their subsequent decompression.
Kubernetes supports several behavioral models for image retrieval. Images are handled by Kubelet and are fetched when a pod is started. The default policy retrieves the image if the tag does not already exist locally. If the image is not tagged, or has
latest as his tag, the
Always The policy will be used instead.
the . Set up
imagePullPolicy in your Pod specs make the selected policy explicit. This helps all collaborators understand the chosen behavior, even if they are not familiar with Kubernetes’ default settings. It is especially important if you use
latest or untagged images, where Kubernetes applies a special treatment that can be confusing.
Keep in mind that the image pull policy is always set per Pod by default. If you want to use a single policy for your entire cluster, you must use a configuration validation tool to scan your Pod manifests. kube-score is a static analysis tool for Kubernetes object manifests that
imagePullPolicy check in the default ruleset. Run
kube-score score my-manifest.yaml as part of a CI pipeline to prevent the use of manifests without defined policies.