Blog on "Ensure secret pulled images" feature #47053
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/blog
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
sairameshv
changed the title
|
Hello, I'm Rashan from the 1.31 Release comms team. I'm reaching out with a reminder that the blog ready for review deadline is July 26, 2024. Please let me know how we can help! |
gate Signed-off-by: Sai Ramesh Vanka <svanka@redhat.com>
sairameshv
force-pushed
the
ensure-image-pull-blog
branch
from
a3c4edf to
079672c
Compare
k8s-ci-robot
added
size/M
Hey @rashansmith , Could you review the contents of this blog post and give some suggestions on it? |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
will do! |
|
/hold OK to unhold once Kubernetes v1.31 has been released. |
k8s-ci-robot
added
the
do-not-merge/hold
There was a problem hiding this comment.
This looks like a task rather than post-release publicity.
Have a look at some of the other blog articles that we've gone out; I think you'll see they tend to take a different angle.
You can also link to the documentation about KubeletEnsureSecretPulledImages.
| @@ -0,0 +1,82 @@ | |||
| --- | |||
| layout: blog | |||
| title: "Kubernetes: 1.31 KubeletEnsureSecretPulledImages feature gate" | |||
There was a problem hiding this comment.
| title: "Kubernetes: 1.31 KubeletEnsureSecretPulledImages feature gate" | |
| title: "Kubernetes 1.31: Additional Security Measures For Container Image Pulls" |
|
BTW @rashansmith the blog reviewers would typically review, but it's great if you're willing to help line up a reviewer. This is open source so you are of course welcome to do your own reviewing. |
| # Scenario: Enable KubeletEnsureSecretPulledImages FeatureGate | ||
|
|
||
| ## Objective | ||
| Enable a new feature gate `KubeletEnsureSecretPulledImages` and create two pods that pull same image from a private registry (for ex: `quay.io`) with one pod configured with valid image pull credentials and another having invalid image pull credentials. |
There was a problem hiding this comment.
| Enable a new feature gate `KubeletEnsureSecretPulledImages` and create two pods that pull same image from a private registry (for ex: `quay.io`) with one pod configured with valid image pull credentials and another having invalid image pull credentials. | |
| Enable a new feature gate `KubeletEnsureSecretPulledImages` and create two pods that pull same | |
| image from a private registry (for ex: `quay.io`) with one pod configured with valid image | |
| pull credentials and another having invalid image pull credentials. |
| Modify the kubelet configuration by setting the `KubeletEnsureSecretPulledImages` feature gate to `false` and verify both the pods are `Running` successfully which is the default/current behavior. | ||
|
|
||
| ### Conclusion | ||
| As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be leveraged by any another pod on the same node even without a valid image pull seceret/credentials. |
There was a problem hiding this comment.
| As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be leveraged by any another pod on the same node even without a valid image pull seceret/credentials. | |
| As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be | |
| leveraged by any another pod on the same node even without a valid image pull seceret/credentials. |
|
|
||
| ### Conclusion | ||
| As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be leveraged by any another pod on the same node even without a valid image pull seceret/credentials. | ||
| This newly introduced feature would help the cluster admin to have a better access control in terms of multi tenant scenarios by allowing the access of an image only incase of having a valid credentials even if the image is already present on the node. |
There was a problem hiding this comment.
| This newly introduced feature would help the cluster admin to have a better access control in terms of multi tenant scenarios by allowing the access of an image only incase of having a valid credentials even if the image is already present on the node. | |
| This newly introduced feature would help the cluster admin to have a better access control | |
| in terms of multi tenant scenarios by allowing the access of an image only incase of having | |
| a valid credentials even if the image is already present on the node. |
|
As @sftim mentioned, this content format is not looking like blog post publicity. WDYT? |
|
@sairameshv / @sftim : Please may I know the status of this blogpost? Are we considering pushing it forward to a later date? |
|
Hey @divya-mohan0209 , There is a new PR for the KEP proposing changes to this feature and that may require a new PR based on the latest behavior. /close |
|
@sairameshv: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Place holder PR for a blog on the Ensure secret pulled images feature
Reference: kubernetes/enhancements#2535
/cc @haircommander