set the feature at the kubelet scope

mikebrow · mikebrow · commit 037b9e227317 · 2021-09-07T17:06:42.000-05:00
Signed-off-by: Mike Brown &lt;brownwm@us.ibm.com&gt;
diff --git a/keps/sig-node/20200310-ensure-secret-pulled-images.md b/keps/sig-node/20200310-ensure-secret-pulled-images.md
@@ -12,7 +12,7 @@ approvers:
   - "@dchen1107"
 editor: N/A
 creation-date: 2020-03-10
-last-updated: 2020-03-10
+last-updated: 2020-08-25
 status: provisional|implementable|implemented|deferred|rejected|withdrawn|replaced
 see-also:
   - N/A
@@ -60,19 +60,23 @@ superseded-by:
 
 ## Summary
 
-We will add support for ensuring images pulled with pod imagePullSecrets are
-always authenticated even if cached. We will add a new boolean field
-`ensureSecretPulledImages` to the pod spec. The default to false
-means that if a first pod results in an image pulled with imagePullSecrets a
-second pod would have to be using always pull to ensure rights to use the
-previously pulled image. When set to true always pull would not be required,
-instead kublet will check if the image was pulled with an image pull secret and
-if so would force a pull of the image to ensure the image pulled with the
-secret is not used by another pod unless that pod also has the proper auth.
+We will add support in kubelet for ensuring images pulled with pod
+imagePullSecrets are always authenticated even if cached. This new feature will
+be enabled via a new kublet flag `ensureSecretPulledImages.` The flag will
+improve the security posture for privacy/security of image contents by forcing
+images pulled with an imagePullSecret of a first pod to be re-authenticated for
+a second pod even if the image is already present on the node. The default
+(false) setting means that if a first pod results in an image pulled with
+imagePullSecrets a second pod would have to be using always pull to ensure
+rights to use the previously pulled image. When set to true always pull would
+not be required, instead kubelet will check if the image was pulled with an
+image pull secret and if so would force a pull of the image to ensure the image
+pulled with the secret is not used by another pod unless that pod also has the
+proper auth.
 
 ## Motivation
 
-There have been customer requests for improving upon kubernetes ability to
+There have been customer requests for improving upon kubernetes' ability to
 secure images pulled with auth. on a node. Issue
 [#18787](https://github.com/kubernetes/kubernetes/issues/18787) has been around
 for a while.
@@ -91,25 +95,28 @@ authentication.)
 
 ### Goals
 
-Add a flag processed by `kubelet` for `ensureSecretPulledImages` (or something
-similarly named) that, if true, would force `kubelet` to attempt to pull every
+Add a `kubelet` flag for `ensureSecretPulledImages` (or something
+similarly named) as a security posture enhancement of the kubelet configuration
+that, if true, would force `kubelet` to attempt to pull every
 image that was pulled with image pulled secret based authentication, regardless
-of the container image's pull policy.
+of the container image pull policy.
 
 Optimize to only force re-authentication for a pod when the secret used to pull
-the container image is not present.
+the container image is not present. IOW if an image is pulled with
+authentication for a first pod subsequent pods that have the same authentication
+information should not need to re-authenticate.
 
 ### Non-Goals
 
 Out of scope for this KEP is an image caching policy that would direct container
 runtimes through the CRI wrt. how they should treat the caching of images on a
 node. Such as store for public use but only if encrypted. Or Store for private
-use unencrypted...
+use un-encrypted...
 
 ## Proposal
 
-When `ensureSecretPulledImages` is set, `kublet` will check keep a list of
-container images that required authentication. `kublet` will ensure any image
+When `ensureSecretPulledImages` is set, `kubelet` will keep a list of container
+images that required authentication. `kubelet` will ensure any image
 in the list is always pulled thus enforcing authentication / re-authentication
 with the exception of pods with secrets containing an auth that has been
 authenticated.
@@ -120,13 +127,14 @@ wip
 ### Risks and Mitigations
 
 With the default being false, devops engineers may not know to set the flag to
-true in new/old pod specs that are using secrets for pull authentication with
-registries.
+true.
 
-A mitigation would be an admission plugin to inject `ensureSecretPulledImages.`
+A mitigation would be a warning message or we could choose to make the default
+true.
 
-Images authentications with a registry may expire. To mitigate expirations a
-a timeout could be used to force re-authentication.
+Image authentications with a registry may expire. To mitigate expirations a
+a timeout could be used to force re-authentication. The timeout could be a
+container runtime feature or a `kubelet` feature.
 
 ## Design Details
 
@@ -160,9 +168,8 @@ Why should this KEP _not_ be implemented. N/A
 
 ## Alternatives [optional]
 
-Default the ensure secrets rule to true and don't introduce a new pod spec flag.
-Instead of a pod spec flag make the option a kublet configuration switch or
-set the flag at some other scope.
+- Make the option a `kubelet` configuration switch (This is the SIG-Node suggested option).
+- Set the flag at some other scope e.g. pod spec (doing it at the pod spec was rejected by SIG-Node).
 
 ## Infrastructure Needed [optional]
 
