Image Pull Policy Missing

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-supply-003
  labels:
    severity: "medium"
    category: "supply"
  annotations:
    rules.spotter.dev/title: "Image Pull Policy Missing"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-613"
    rules.spotter.dev/description: "ImagePullPolicy must be Always"
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
        - ''
        - apps
        versions:
        - v1
        kinds:
        - Pod
        - Deployment
        namespaces:
          include:
          - '*'
          exclude:
          - kube-system
          - kube-public
  cel: |
    (object.kind == 'Pod' && has(object.spec.containers) && object.spec.containers.exists(c, !has(c.imagePullPolicy) || c.imagePullPolicy != "Always")) ||
    (object.kind != 'Pod' && has(object.spec.template.spec.containers) && object.spec.template.spec.containers.exists(c, !has(c.imagePullPolicy) || c.imagePullPolicy != "Always"))
  remediation:
    manual: "Set imagePullPolicy=Always"
  references:
    - title: "CIS Kubernetes Benchmark v1.8.0"
      url: "https://www.cisecurity.org/benchmark/kubernetes"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: private-image-test-always
    spec:
      containers:
        - name: uses-private-image
          image: $PRIVATE_IMAGE_NAME:1.2
          imagePullPolicy: Never
          command: [ "echo", "SUCCESS" ]

- name: insecure sample 2 should fail
  pass: false
  input: |
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: deployment-with-image-pull-policy
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
            - name: nginx
              image: library/nginx:1.20.0
              imagePullPolicy: IfNotPresent

- name: insecure sample 3 should fail
  pass: false
  input: |
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: deployment-with-image-pull-policy1
    spec:
      replicas: 3
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
            - name: nginx
              image: library/nginx:1.20.0

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: private-image-test-1
    spec:
      containers:
        - name: uses-private-image
          image: $PRIVATE_IMAGE_NAME
          imagePullPolicy: Always
          command: [ "echo", "SUCCESS" ]

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-supply-003
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-supply-003
spec:
  # Add your VAP configuration here

Rule Metadata

Image Pull Policy Missing

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub