Kubernetes Blog
Follow
Kubernetes v1.33: Image Pull Policy the way you always thought it worked!
The imagePullPolicy in Kubernetes has a surprising behavior that has been a caveat for over 10 years, allowing pods to access authenticated images without credentials. The IfNotPresent policy would allow a pod to use an image already present on a node, even if it didn't provide credentials to pull the image. This is a security issue as pods without credentials can access private images. In Kubernetes v1.33, the IfNotPresent policy has been updated to ensure that pods must provide credentials to use a previously pulled private image. The Kubelet will verify the pod's credentials before allowing it to use the image. The imagePullPolicy: Never option does not fetch images, but requires credentials to use an already present image. The imagePullPolicy: Always option has always worked as intended, requiring authentication for every image request. The new feature uses persistent, file-based caches on each node to verify pod credentials. The feature is based on recording the intention to pull an image, extracting credentials, and making a record of successful pulls. The feature is available in Kubernetes v1.33 and can be enabled by turning on the KubeletEnsureSecretPulledImages feature gate.