pullpolicy: handle containers without a explicit imagePullPolicy set

A typo in the issue description that recommended the policy "PullAlways" instead of "Always" was also fixed Fixes #39
zegl · Oct 12, 2018 · 2f21dd2 · 2f21dd2
1 parent 7ba74b1
commit 2f21dd2
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 7 deletions.
diff --git a/score/container/container.go b/score/container/container.go
@@ -68,10 +68,8 @@ func ScoreContainerImageTag(podTemplate corev1.PodTemplateSpec) (score scorecard
 	hasTagLatest := false
 
 	for _, container := range allContainers {
-		imageParts := strings.Split(container.Image, ":")
-		imageVersion := imageParts[len(imageParts)-1]
-
-		if imageVersion == "latest" {
+		tag := containerTag(container.Image)
+		if tag == "" || tag == "latest" {
 			score.AddComment(container.Name, "Image with latest tag", "Using a fixed tag is recommended to avoid accidental upgrades")
 			hasTagLatest = true
 		}
@@ -98,9 +96,18 @@ func ScoreContainerImagePullPolicy(podTemplate corev1.PodTemplateSpec) (score sc
 	hasNonAlways := false
 
 	for _, container := range allContainers {
-		if container.ImagePullPolicy != corev1.PullAlways {
-			score.AddComment(container.Name, "ImagePullPolicy is not set to PullAlways", "It's recommended to always set the ImagePullPolicy to PullAlways, to make sure that the imagePullSecrets are always correct, and to always get the image you want.")
-			hasNonAlways = true
+
+		// No defined pull policy
+		if container.ImagePullPolicy == corev1.PullPolicy("") {
+			tag := containerTag(container.Image)
+			if tag != "" && tag != "latest" {
+				hasNonAlways = true
+			}
+		} else {
+			if container.ImagePullPolicy != corev1.PullAlways {
+				score.AddComment(container.Name, "ImagePullPolicy is not set to Always", "It's recommended to always set the ImagePullPolicy to Always, to make sure that the imagePullSecrets are always correct, and to always get the image you want.")
+				hasNonAlways = true
+			}
 		}
 	}
 
@@ -112,3 +119,14 @@ func ScoreContainerImagePullPolicy(podTemplate corev1.PodTemplateSpec) (score sc
 
 	return
 }
+
+// containerTag returns the image tag
+// An empty string is returned if the image has no tag
+func containerTag(image string) string {
+	imageParts := strings.Split(image, ":")
+	if len(imageParts) > 1 {
+		imageVersion := imageParts[len(imageParts)-1]
+		return imageVersion
+	}
+	return ""
+}
diff --git a/score/score_test.go b/score/score_test.go
@@ -81,6 +81,14 @@ func TestPodContainerPullPolicyUndefined(t *testing.T) {
 	testExpectedScore(t, "pod-image-pullpolicy-undefined.yaml", "Container Image Pull Policy", 0)
 }
 
+func TestPodContainerPullPolicyUndefinedLatestTag(t *testing.T) {
+	testExpectedScore(t, "pod-image-pullpolicy-undefined-latest-tag.yaml", "Container Image Pull Policy", 10)
+}
+
+func TestPodContainerPullPolicyUndefinedNoTag(t *testing.T) {
+	testExpectedScore(t, "pod-image-pullpolicy-undefined-no-tag.yaml", "Container Image Pull Policy", 10)
+}
+
 func TestPodContainerPullPolicyNever(t *testing.T) {
 	testExpectedScore(t, "pod-image-pullpolicy-never.yaml", "Container Image Pull Policy", 0)
 }

diff --git a/score/testdata/pod-image-pullpolicy-undefined-latest-tag.yaml b/score/testdata/pod-image-pullpolicy-undefined-latest-tag.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-test-1
+spec:
+  containers:
+  - name: foobar
+    image: foo/bar:latest
diff --git a/score/testdata/pod-image-pullpolicy-undefined-no-tag.yaml b/score/testdata/pod-image-pullpolicy-undefined-no-tag.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-test-1
+spec:
+  containers:
+  - name: foobar
+    image: foo/bar