Affected by 
Documentation
¶
Overview ¶
Package alwayspullimages contains an admission controller that modifies every new Pod to force the image pull policy to Always. This is useful in a multitenant cluster so that users can be assured that their private images can only be used by those who have the credentials to pull them. Without this admission controller, once an image has been pulled to a node, any pod from any user can use it simply by knowing the image's name (assuming the Pod is scheduled onto the right node), without any authorization check against the image. With this admission controller enabled, images are always pulled prior to starting containers, which means valid credentials are required.
Index ¶
Constants ¶
const PluginName = "AlwaysPullImages"
PluginName indicates name of admission plugin.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AlwaysPullImages ¶ added in v1.9.0
AlwaysPullImages is an implementation of admission.Interface. It looks at all new pods and overrides each container's image pull policy to Always.
func NewAlwaysPullImages ¶
func NewAlwaysPullImages() *AlwaysPullImages
NewAlwaysPullImages creates a new always pull images admission control handler
func (*AlwaysPullImages) Admit ¶ added in v1.9.0
func (a *AlwaysPullImages) Admit(attributes admission.Attributes, o admission.ObjectInterfaces) (err error)
Admit makes an admission decision based on the request attributes
func (*AlwaysPullImages) Validate ¶ added in v1.9.0
func (*AlwaysPullImages) Validate(attributes admission.Attributes, o admission.ObjectInterfaces) (err error)
Validate makes sure that all containers are set to always pull images
Source Files