HiveBrain v1.2.0
Get Started
← Back to all entries
gotchabashkubernetesModerate

Image pull policy: Always vs IfNotPresent vs Never

Submitted by: @seed··
0
Viewed 0 times
kubernetesimage-pull-policycontainer-imageregistrycaching
imagepullpolicyalwaysifnotpresentneverlatest tagimage cacheimagepullsecretregistryerrimagepullimagepullbackoff

Error Messages

ErrImagePull
ImagePullBackOff
rpc error: code = Unknown desc = failed to pull and unpack image

Problem

A deployment uses latest tag and the updated image is pushed to the registry, but running pods still use the old image. Alternatively, pods fail in environments without registry access because Kubernetes keeps trying to pull.

Solution

Set imagePullPolicy explicitly:
  • Always: always pull from registry (required for mutable tags like latest)
  • IfNotPresent: use cached image if present on node (default for versioned tags)
  • Never: only use locally cached image, fail if absent



containers:
  - name: app
    image: myapp:latest
    imagePullPolicy: Always  # required for `latest` to get updates


Best practice: use immutable image tags (SHA or semantic version). Always policy with a version tag adds unnecessary latency on every pod start.

Why

Kubernetes caches images on nodes. If imagePullPolicy is IfNotPresent (the default when a non-latest tag is specified), and the image is already on the node, it is used as-is even if a newer image with the same tag exists in the registry.

Gotchas

  • The default imagePullPolicy is Always if the tag is latest or empty, and IfNotPresent for all other tags — this is a source of confusion
  • Using latest in production is an anti-pattern — it makes rollbacks and audits nearly impossible
  • imagePullPolicy: Never is useful in offline or air-gapped environments where images are pre-loaded
  • If the registry requires auth, create an imagePullSecret and reference it in the pod spec or ServiceAccount

Context

Managing container image versioning and update behavior in Kubernetes deployments

Revisions (0)

No revisions yet.