Image Pull Policy Discipline

imagePullPolicy: Always vs IfNotPresent. The decision.

Always

Image pull policy controls when Kubernetes pulls container images. Three values are available: Always, IfNotPresent, Never. Each fits different scenarios; the choice affects deployment speed, freshness, and operational characteristics.

What Always provides:

• Pulls every restart.: When a pod starts, the image is pulled from the registry. The latest version of the tag is always retrieved; the pod is guaranteed to run the most current image.
• Slower.: Each restart involves a registry pull. The startup time includes the pull; for large images, this is significant.
• Stable.: The pod is always running the latest version of its tag. Floating tags (latest, prod) update; the pod follows.
• Best for prod.: Production deployments often want the latest pushed image. Always ensures every deploy reflects the most recent push.
• Ensures latest deployed version.: Even if a node has a cached image, Always pulls fresh. The cache is bypassed; the freshness is guaranteed.

Always is the right default for production. The slower startup is a worthwhile trade-off for predictability.

IfNotPresent

IfNotPresent uses the cached image if it exists locally. The startup is faster; the trade-off is potential staleness.

• Uses cached image if available.: If the node has the image cached, Kubernetes uses it. No registry pull; no startup delay; the pod starts immediately.
• Faster.: The startup is dramatically faster than Always. Cached image starts in seconds; pulled image can take minutes for large images.
• Staler.: The cached image might not be the latest version of the tag. If the floating tag (latest, prod) was updated since the cache, the pod runs the older version.
• Best for development.: Local development clusters benefit from IfNotPresent. The cache speeds iteration; the staleness is acceptable for non-production work.
• With immutable tags.: When images are tagged with immutable identifiers (semantic versions, git SHAs), IfNotPresent is safe. The tag does not change; the cache is always correct.

IfNotPresent is the right choice for development and for production with immutable tags. The faster startup pays off when the staleness risk is bounded.

Never

Never tells Kubernetes never to pull. The image must be pre-loaded; if not present, the pod fails to start.

• Air-gapped clusters.: Clusters without registry access need pre-loaded images. The team loads images into the nodes via other mechanisms; Never enforces that no pull is attempted.
• With pre-loaded images.: The image must be on the node before the pod starts. The team's deployment process includes the pre-load; the pod's spec assumes the image is available.
• Specialised use case.: Most clusters do not need Never. Air-gapped, regulatory, or specific testing scenarios are the typical use cases.
• Operationally complex.: Pre-loading images is operational work. The team's tooling must include the pre-load step; without it, pods fail to start mysteriously.
• Verify pre-load.: Before scheduling pods with Never policy, the team verifies the image is present. Without verification, the pod's failure is the first signal that the pre-load was missed.

Image pull policy discipline is one of those small Kubernetes choices that compounds across many pods. Nova AI Ops integrates with cluster telemetry, surfaces pull patterns and failures, and produces the operational visibility that drives effective pull policy decisions.