Question 30
Domain 6: Monitoring, Logging and Runtime SecurityA security team wants Kubernetes to fetch the image from the registry every time a Pod starts so that a reused tag cannot silently point to different content. Which image pull policy should be specified?
Correct answer: A
Explanation
Use the Always image pull policy when you need Kubernetes to check the registry on each container start, which helps prevent relying on a reused tag's previously cached image. — cks_syllabus.txt
Why each option is right or wrong
A. Set imagePullPolicy to Always
The source material states "Image pull policy: Always for tag pinning bypass." In this situation, setting imagePullPolicy to Always is the specified control to force a registry check each time the Pod starts, addressing the risk of a reused tag pointing to different image content.
B. Set imagePullPolicy to IfNotPresent
IfNotPresent does not enforce pulling on every start; Always is specified for tag pinning bypass.
C. Set imagePullPolicy to Never
Never prevents pulling from the registry; Always is the policy tied to tag pinning bypass.
D. Leave imagePullPolicy unspecified
The required control named for tag pinning bypass is Always, not an unspecified policy.