diff --git a/charts/zora/README.md b/charts/zora/README.md
index 726868a8..99a97905 100644
--- a/charts/zora/README.md
+++ b/charts/zora/README.md
@@ -138,7 +138,8 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
 | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
-| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag |
+| kubexnsImage.tag | string | `"v0.1"` | kubexns image tag |
+| kubexnsImage.pullPolicy | string | `"Always"` | Image pull policy |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
 | httpsProxy | string | `""` | HTTPS proxy URL |
 | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml
index 1ead4b2b..4082b5a1 100644
--- a/charts/zora/templates/operator/deployment.yaml
+++ b/charts/zora/templates/operator/deployment.yaml
@@ -114,6 +114,7 @@ spec:
             - --checks-configmap-namespace={{ .Release.Namespace }}
             - --checks-configmap-name={{ .Values.customChecksConfigMap }}
             - --kubexns-image={{ printf "%s:%s" .Values.kubexnsImage.repository .Values.kubexnsImage.tag }}
+            - --kubexns-pull-policy={{ .Values.kubexnsImage.pullPolicy }}
             - --update-crds={{ .Values.updateCRDs | default .Release.IsUpgrade }}
             - --inject-conversion={{ .Values.operator.webhook.enabled }}
             - --webhook-service-name={{ $serviceName }}
diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml
index ff4e6664..c45f8052 100644
--- a/charts/zora/values.yaml
+++ b/charts/zora/values.yaml
@@ -286,7 +286,9 @@ kubexnsImage:
   # -- kubexns image repository
   repository: ghcr.io/undistro/kubexns
   # -- kubexns image tag
-  tag: v0.1.4
+  tag: v0.1
+  # -- Image pull policy
+  pullPolicy: Always
 
 # -- Custom checks ConfigMap name
 customChecksConfigMap: zora-custom-checks
diff --git a/cmd/main.go b/cmd/main.go
index c05b9186..e9ce5c92 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -80,6 +80,7 @@ func main() {
 	var checksConfigMapNamespace string
 	var checksConfigMapName string
 	var kubexnsImage string
+	var kubexnsPullPolicy string
 	var trivyPVC string
 	var trivyFSGroup int64
 	var updateCRDs bool
@@ -110,6 +111,7 @@ func main() {
 	flag.StringVar(&checksConfigMapNamespace, "checks-configmap-namespace", "zora-system", "Namespace of custom checks ConfigMap")
 	flag.StringVar(&checksConfigMapName, "checks-configmap-name", "zora-custom-checks", "Name of custom checks ConfigMap")
 	flag.StringVar(&kubexnsImage, "kubexns-image", "ghcr.io/undistro/kubexns:latest", "kubexns image")
+	flag.StringVar(&kubexnsPullPolicy, "kubexns-pull-policy", "Always", "kubexns image pull policy")
 	flag.StringVar(&trivyPVC, "trivy-db-pvc", "", "PersistentVolumeClaim name for Trivy DB")
 	flag.Int64Var(&trivyFSGroup, "trivy-db-fsgroup", 0, "PersistentVolumeClaim FSGroup for Trivy DB")
 	flag.BoolVar(&updateCRDs, "update-crds", false,
@@ -218,6 +220,7 @@ func main() {
 		OnUpdate:                onClusterScanUpdate,
 		OnDelete:                onClusterScanDelete,
 		KubexnsImage:            kubexnsImage,
+		KubexnsPullPolicy:       kubexnsPullPolicy,
 		TrivyPVC:                trivyPVC,
 		TrivyFSGroup:            &trivyFSGroup,
 		ChecksConfigMap:         fmt.Sprintf("%s/%s", checksConfigMapNamespace, checksConfigMapName),
diff --git a/internal/controller/zora/clusterscan_controller.go b/internal/controller/zora/clusterscan_controller.go
index 9542f689..38387453 100644
--- a/internal/controller/zora/clusterscan_controller.go
+++ b/internal/controller/zora/clusterscan_controller.go
@@ -62,6 +62,7 @@ type ClusterScanReconciler struct {
 	ClusterRoleBindingName  string
 	ServiceAccountName      string
 	KubexnsImage            string
+	KubexnsPullPolicy       string
 	ChecksConfigMap         string
 	TrivyPVC                string
 	TrivyFSGroup            *int64
@@ -218,6 +219,7 @@ func (r *ClusterScanReconciler) reconcile(ctx context.Context, clusterscan *v1al
 			ServiceAccountName: r.ServiceAccountName,
 			Suspend:            notReadyErr != nil,
 			KubexnsImage:       r.KubexnsImage,
+			KubexnsPullPolicy:  r.KubexnsPullPolicy,
 			ChecksConfigMap:    r.ChecksConfigMap,
 			TrivyPVC:           r.TrivyPVC,
 			TrivyFSGroup:       r.TrivyFSGroup,
diff --git a/pkg/plugins/cronjob.go b/pkg/plugins/cronjob.go
index dfc4963c..e1d042f4 100644
--- a/pkg/plugins/cronjob.go
+++ b/pkg/plugins/cronjob.go
@@ -95,6 +95,7 @@ type CronJobMutator struct {
 	ServiceAccountName string
 	Suspend            bool
 	KubexnsImage       string
+	KubexnsPullPolicy  string
 	ChecksConfigMap    string
 	TrivyPVC           string
 	TrivyFSGroup       *int64
@@ -260,7 +261,7 @@ func (r *CronJobMutator) initContainer() corev1.Container {
 			{Name: "IGNORE_NOT_FOUND", Value: "true"},
 		},
 		VolumeMounts:    []corev1.VolumeMount{customChecksVolume},
-		ImagePullPolicy: corev1.PullIfNotPresent,
+		ImagePullPolicy: corev1.PullPolicy(r.KubexnsPullPolicy),
 		Resources:       r.Plugin.Spec.Resources,
 		SecurityContext: &corev1.SecurityContext{
 			RunAsNonRoot:             pointer.Bool(true),