iCompaas Support

 Profile Applicability:

• Level 1
  
  

Description:

The AlwaysPullImages admission control plugin ensures that every time a container is launched, the image is pulled from the image registry, even if the image already exists on the node. This setting guarantees that the most up-to-date image is used, preventing the use of outdated or vulnerable container images that may already be cached on the node.

Rationale:

By enabling the AlwaysPullImages plugin, you ensure that the most recent version of container images is always used. This helps mitigate risks related to running outdated images that may contain known vulnerabilities or bugs. It is especially important in environments where image versions are frequently updated to address security issues.

Impact:

Pros:

• Ensures that containers run with the most recent image, improving security and reliability.
  

• Prevents the use of stale, vulnerable, or misconfigured images that may exist in node caches.
  

Cons:

• Additional network bandwidth usage due to pulling images every time, potentially impacting performance, especially in environments with large images or slow network connections.
  

Default Value:

Not enabled by default. The default behavior is to use cached images if they are already present on the node.

Pre-requisites:

• The Kubernetes environment must have access to a reliable and up-to-date image registry.
  

• Container images should be properly versioned to ensure correct updates.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Check the --enable-admission-plugins flag and verify that AlwaysPullImages is listed among the enabled plugins.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:
aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that AlwaysPullImages is included in the --enable-admission-plugins list.
   

Implementation Plan

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server's settings.
   

3. Add AlwaysPullImages to the list of enabled admission control plugins.
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the --enable-admission-plugins argument to include AlwaysPullImages:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-admission-plugins AlwaysPullImages

Backout Plan

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. Remove AlwaysPullImages from the list of enabled admission control plugins if necessary.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --disable-admission-plugins AlwaysPullImages

References:

• Kubernetes Admission Control Documentation
  EKS Cluster Management