قالب وردپرس درنا توس
Home / Tips and Tricks / Understanding Kubernetes Image Pull Policies – CloudSavvy IT

Understanding Kubernetes Image Pull Policies – CloudSavvy IT



Image with the Kubernetes logo

Kubernetes image retrieval policy determines when Kubelet should fetch an updated image version. Pull policy is used when a new Pod is started. Kubelet will take appropriate action as directed in the Pod’s policies.

The default behavior

You do not need to specify an image retrieval policy. When a pod has no policy, Kubernetes infers your intentions from the image tag. If you specified a specific tag (such as my-image:my-release), the image is only fetched if the tag does not already exist on the Kubelet node. This policy is called IfNotPresent.

When no tag is specified, or you are using the latest tag, the image will always be drawn. Kubernetes retrieves the manifest of the image every time a new pod is started. If the manifest indicates a change, the updated image is retrieved before the containers are created.

Kubernetes will never change imagePullPolicy as a result of another action. Editing a Pod image shall not trigger Kubernetes to reevaluate the default pull policy. That means if you start with my-image:latest but later update the Pod to my-image:my-release, the image pull policy remains: IfNotPresent. If desired, you must manually specify a new policy.

Always let Kubelet pull

You must apply an image pull policy to force Kubelet to always try a pull. Set up imagePullPolicy: Always on a pod to enable this behavior.

spec:
  containers:
      - name: my-container
        image: my-image:my-release
        imagePullPolicy: Always

New image versions are fetched when a pod is launched and the manifest digest of the image has changed. A locally cached version of the image will still be reused if the digest has not been changed. This prevents unnecessary downloads over the network. Docker digests are immutable references that uniquely identify images without a name or tag.

Forced pulls are useful when you want to distribute new versions of your image with the same tag. This can be the case if you tag images with the branch name from which they are built. Without the Always policy, Kubernetes would never fetch your new image releases if the tag was already available locally.

Ban automatic pulling trekken

All policies that allow image retrieval will fetch new versions of your locally cached tags. Use an image overview as your Pods image field if you want a container to have an exact image version every time it starts.

There are scenarios where you might not want Kubernetes to fetch images at all. the . Set up Never policy will prevent Kubelet’s automatic pulls. This policy does not check for updates at all – the registry manifest version is not retrieved.

You need an alternate way to get images to your nodes if you Never. Each image must exist locally before attempting to launch your pods. Otherwise, Kubernetes will not be able to run the Pod’s containers.

This acts as a protection mechanism when using a self-contained image pulling mechanism. You don’t want Kubernetes to accidentally try to perform an automatic fetch in case a pull fails. This can lead to the loss of images that are already cached locally.

Pull policy and caching

Your selected pull policy should not significantly affect performance. As long as your image provider supports layer caching, Kubelet only needs to pull the really new layers into each image.

The Always policy does add a network call every time you start a new Pod. It only needs to check the image summary, so this should be practically instantaneous. If the digest does not match the locally cached version, the new image layers are unregistered. The main performance overhead is the actual network transfer of those layers, followed by their subsequent decompression.

Resume

Kubernetes supports several behavioral models for image retrieval. Images are handled by Kubelet and are fetched when a pod is started. The default policy retrieves the image if the tag does not already exist locally. If the image is not tagged, or has latest as his tag, the Always The policy will be used instead.

the . Set up imagePullPolicy in your Pod specs make the selected policy explicit. This helps all collaborators understand the chosen behavior, even if they are not familiar with Kubernetes’ default settings. It is especially important if you use latest or untagged images, where Kubernetes applies a special treatment that can be confusing.

Keep in mind that the image pull policy is always set per Pod by default. If you want to use a single policy for your entire cluster, you must use a configuration validation tool to scan your Pod manifests. kube-score is a static analysis tool for Kubernetes object manifests that imagePullPolicy check in the default ruleset. Run kube-score score my-manifest.yaml as part of a CI pipeline to prevent the use of manifests without defined policies.


Source link