Skip to content
Ensure kubernetes pods run on latest images builds from the docker registry
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
deploy Yet another rewrite Mar 2, 2019
.dockerignore First commit Feb 11, 2019
LICENSE First commit Feb 11, 2019
Makefile Rename project to "imago" Feb 19, 2019
README.rst Add a --check-pods option to test running pod images Mar 9, 2019
main.go Fix warnings reported by staticcheck Mar 10, 2019
main_test.go Better handling of errors Mar 10, 2019



This project aims to ease continuous delivery of docker images in a kubernetes cluster.

Imago is the last stage of an insect, it also refer to image and go (golang).

imago looks for kubernetes Deployments and DaemonSets configuration and update them to use the latest image sha256 digest from the docker repository.

This is useful to handle the following cases:

  • image is rebuilt for security fixes
  • ensure all pods use exactly the same image
  • image is rebuilt by CI for continuous delivery

imago ensure your pods are running the latest build.

How it works ?

imago looks for Deployments and DaemonSets configuration, get the latest sha256 digest from registry and update containers specifications to set image to the corresponding registry/image@sha256:... notation. It track the original image specification in the imago-config-spec annotation.


$ imago
Usage of imago:
        Check deployments and daemonsets on all namespaces (default false)
        check image digests of running pods (default false)
  -field-selector string
        Kubernetes field-selector
  -kubeconfig string
        kube config file (default "~/.kube/config")
  -l string
        Kubernetes labels selectors
        Warning: applies to Deployment and DaemonSet, not pods !
  -n string
        Check deployments and daemonsets in given namespace (default to current namespace)
        update deployments and daemonsets to use newer images (default false)

By default, imago doesn't update your deployments, unless invoked with --update.

The --check-pods is a less intrusive mode where update is done only if one of the running pods doesn't run on latest digest image.

Example output

$ imago --update
2019/02/11 17:55:21 checking default/Deployment/aptly:
2019/02/11 17:55:21   aptly ok
2019/02/11 17:55:21   nginx ok
2019/02/11 17:55:22 checking default/Deployment/kibana:
2019/02/11 17:55:22   kibana ok
2019/02/11 17:55:22   nginx ok
2019/02/11 17:55:22 checking default/Deployment/
2019/02/11 17:55:22   gitweb need to be updated from to
2019/02/11 17:55:22   nginx ok
2019/02/11 17:55:22 update default/Deployment/
2019/02/11 17:55:22 checking DaemonSet/fluentd:
2019/02/11 17:55:22   fluentd has to be updated from to
2019/02/11 17:55:22 update default/DaemonSet/fluentd

Install and run

From the command line

Assuming you have a working ~/.kube/config file, just download and build the code:

$ go get
$ $(go env GOPATH)/bin/imago --help

From the docker image

Assuming you have a working ~/.kube/config file:

$ docker pull philpep/imago
$ docker run --rm -it -u $(id -u) -v ~/.kube/config:/config philpep/imago --help

Inside the cluster

You can run imago inside the cluster, for instance in a CronJob kubernetes object that runs every day.

See the ServiceAccount and CronJob objects.

$ kubectl apply -f deploy/serviceaccount.yaml
$ kubectl apply -f deploy/cronjob.yaml
You can’t perform that action at this time.