Ensure secret pulled images #94899
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know what this means and that I can't explain it to other people. I could read the code; I haven't, because I'm checking whether the docs part makes sense.
What effect does this feature gate have?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Described in more detail in the KEP. The sentence presumes the reader knows what kubelet is, container images, pods, image pull secrets (credentials), and authentication to registries using existing image pull policies and said credentials... and yes, that is a lot of assumptions. There are existing descriptions for the pull if not present, pull always policies, and warnings for using mitigations to force the pull always policy, because kubelet does not currently "ensure images pulled with pod imagePullSecrets are authenticated by other pods that do not have the same credentials" when pull always is not requested. We could adds links. This is a somewhat complex topic regarding currently known potential security vulnerabilities and subsequent performance issues with current mitigations.
Suggestions, to simplify the description are more than welcome.
Looks like we will not be merging in this release... Instead we will add in additional phase II suggested items, such as persistence of the ensure metadata, a gc sync process with container runtime image cache, (possibly) a solution for identifying which container images are loaded to be used as never pull images for the pod pull never container image policy, and a few other TODO items that were proposed for the next phase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overly simple explanation:
feature gate off (current behavior)
pod spec A has a private image that requires credentials (aka image pull secrets)
pod spec B uses the private image (This pod doesn't need credentials because the image is already cached)
feature gate on (desired behavior)
pod spec B also needs credentials to use the private image
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we switch to a revised comment that explains this clearly enough?
(I'm afraid I'm convinced that the current text falls some way short).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do