The "Require always imagePullPolicy" benchmark appears to try to run a pod with an ImagePullPolicy of "Never": https://github.com/kubernetes-sigs/multi-tenancy/blob/master/benchmarks/kubectl-mtb/test/benchmarks/require_always_pull_image/require_always_pull_image.go#L40

My cluster will allow that container to run, but I have the AlwaysPullImages admission plugin enabled which will change the field to "Always" before it starts: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages

That plugin is recommended by the CIS Benchmarks for Kubernetes, so it may be common: https://workbench.cisecurity.org/sections/639538/recommendations/1047690 (requires login)

Is it possible for the benchmark to detect that?

Is it possible for the benchmark to detect that?

Turns out is it possible:

$ kubectl get pod kube-apiserver-k8s-node15 -n kube-system -o yaml | grep AlwaysPullImages
    - --enable-admission-plugins=AlwaysPullImages,NodeRestriction,PodSecurityPolicy

Does this sound like a good alternative way to comply with the "Require always imagePullPolicy" benchmark?