Skip to content

Commit b14b2ee

Browse files
committed
kep-2535: not persist on disk and add PullImageSecretRecheckDuration flag to define different behaviors
1 parent 5031ced commit b14b2ee

File tree

2 files changed

+22
-32
lines changed

2 files changed

+22
-32
lines changed

keps/sig-node/2535-ensure-secret-pulled-images/README.md

Lines changed: 17 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@
1515
- [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
1616
- [Risks and Mitigations](#risks-and-mitigations)
1717
- [Design Details](#design-details)
18+
- [Test Plan](#test-plan)
19+
- [Prerequisite testing updates](#prerequisite-testing-updates)
20+
- [Unit tests](#unit-tests)
1821
- [Integration tests](#integration-tests)
1922
- [e2e tests](#e2e-tests)
2023
- [Graduation Criteria](#graduation-criteria)
@@ -143,7 +146,6 @@ For beta an API will be considered to manage the ensure metadata.
143146
`kubelet` will ensure any image in the list is always pulled if an authentication
144147
used is not present, thus enforcing authentication / re-authentication.
145148

146-
147149
### User Stories
148150

149151
#### Story 1
@@ -173,42 +175,33 @@ Since images can be pre-loaded, loaded outside the `kubelet` process, and
173175
garbage collected.. the list of images that required authentication in `kubelet`
174176
will not be a source of truth for how all images were pulled that are in the
175177
container runtime cache. To mitigate, images can be garbage collected at boot.
176-
And we will persist ensure metadata across reboot of host, and restart
178+
And for alpha, we will not persist ensure metadata across reboot of host, and restart
177179
of kubelet, and possibly look at a way to add ensure metadata for images loaded
178180
outside of kubelet. In beta we will add a switch to enable re-auth on boot for
179181
admins seeking that instead of having to garbage collect where they do not use
180182
or expect preloaded images since boot.
181183

182-
183184
## Design Details
184185

185-
Kubelet will track, in memory, a hash map for the credentials that were successfully used to pull an image. It has been decided that the hash map will be persisted to disk, in alpha.
186+
Kubelet will track, in memory, a hash map for the credentials that were successfully used to pull an image. The hash map
187+
will not be persisted to disk, in alpha. For alpha explicitly, we will not reuse or add other state manager concepts to kubelet.
186188

187-
The persisted "cache" will undergo cleanup operations on a timely basis (by default once an hour).
189+
See PR linked above for detailed design / behavior documentation.
188190

189-
The persistence of the on storage cache is mainly for restarting kubelet and/or node reboot.
191+
Kubelet will add a new flag, named `PullImageSecretRecheckDuration` to make
192+
the expired duration configurable. The default value could be 1d. For a pod with
193+
IfNotPresent image pull policy and an image pull secret, kubelet will recheck
194+
the secret after `PullImageSecretRecheckDuration`.
190195

191-
The max size of the cache will scale with the number of unique cache entries * the number of unique images that have not been garbage collected. It is not expected that this will be a significant number of bytes. Will be verified by actual use in Alpha and subsequent metrics in Beta.
196+
To make the cluster in most secure situation, set `PullImageSecretRecheckDuration` to 0,
197+
which means always recheck.
192198

193-
See `/var/lib/kubelet/image_manager_state` in [kubernetes/kubernetes#114847](https://github.com/kubernetes/kubernetes/pull/114847)
199+
If user doesn't want to do recheck, set `PullImageSecretRecheckDuration` to -1 to disable recheck.
194200

195-
> ```
196-
> {
197-
> "images": {
198-
> "sha256:eb6cbbefef909d52f4b2b29f8972bbb6d86fc9dba6528e65aad4f119ce469f7a": {
199-
> "authHash": { ** per review comment use SHA256 here vs hash **
200-
> "115b8808c3e7f073": {
201-
> "ensured": true,
202-
> "dueDate": "2023-05-30T05:26:53.76740982+08:00"
203-
> }
204-
> },
205-
> "name": "daocloud.io/daocloud/dce-registry-tool:3.0.8"
206-
> }
207-
> }
208-
> }
209-
> ```
201+
For kubelet restart, recheck is acceptable, because kubelet only restart when upgrade or in maintennance modes in most cases.
210202

211-
See PR linked above for detailed design / behavior documentation.
203+
- upgrade: user needs to drain the node according to the best practice, and re-check is acceptable. (Honestly, many users don't)
204+
- other scanerios(like changing a configuration or some restart scripts for memory leak): still some maintenance modes.
212205

213206
### Test Plan
214207

@@ -249,8 +242,6 @@ For alpha, exhaustive Kubelet unit tests will be provided. Functions affected by
249242
```
250243
[TestShouldPullImage link](https://github.com/kubernetes/kubernetes/pull/94899/files#diff-7297f08c72da9bf6479e80c03b45e24ea92ccb11c0031549e51b51f88a91f813R311-R438)
251244

252-
PersistHashMeta() ** will be persisting SHA256 entries vs hash **
253-
254245
Additionally, for Alpha we will update this readme with an enumeration of the core packages being touched by the PR to implement this enhancement and provide the current unit coverage for those in the form of:
255246
- <package>: <date> - <current test coverage>
256247
The data will be read from:

keps/sig-node/2535-ensure-secret-pulled-images/kep.yaml

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,8 @@ title: Ensure Secret Pulled Images
22
kep-number: 2535
33
authors:
44
- "@mikebrow"
5+
- "@pacoxu"
56
owning-sig: sig-node
6-
participating-sigs:
7-
- sig-node
87
status: implementable
98
creation-date: 2021-03-10
109
reviewers:
@@ -16,11 +15,11 @@ approvers:
1615
- "@dchen1107"
1716
- "@derekwaynecarr"
1817
stage: alpha
19-
latest-milestone: "v1.29"
18+
latest-milestone: "v1.30"
2019
milestone:
21-
alpha: "v1.29"
22-
beta: "v1.30"
23-
stable: "v1.32"
20+
alpha: "v1.30"
21+
beta: "v1.31"
22+
stable: "v1.33"
2423
feature-gates:
2524
- name: KubeletEnsureSecretPulledImages
2625
components:

0 commit comments

Comments
 (0)