You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-node/2535-ensure-secret-pulled-images/README.md
+9-12Lines changed: 9 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,24 +63,21 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
63
63
64
64
## Summary
65
65
66
-
We will add support in the kubelet for an admin to enable the ability to ensure an image that is already present on a node because
67
-
a pod with `ImagePullSecrets` previously pulled it is reauthenticated when a new pod with different `ImagePullSecrets` attempts to use the same image,
68
-
when the `ImagePullPolicy` is `IfNotPresent`.
66
+
Give the admin the ability to ensure pods that use an image are authorized to access that image. This will culminate in changes to the `IfNotPresent` and
67
+
`Never` pull policies, as the `Always` policy will go through an authentication check each time.
69
68
70
-
In other words: ensure the pull secrets are rechecked for each new set of credentials, and ensure a pod has access to those images.
71
-
72
-
For the `Never` policy, the behavior also must change. Otherwise, a user who wishes to use the image of another pod could just use `Never` and hope
73
-
another pod have pulled it. Functionally from a security standpoint, we must account for this.
74
-
Thus, `Never``ImagePullPolicy` images will be allowed past the ensure image stage of the pod lifecyle if the image has previously been pulled
75
-
by an `IfNotPresent` pod successfully: either with no auth, or with the same auth as the `Never` policy. The image will continue to never be pulled
76
-
for this pod.
69
+
When this feature is enabled, and an image in a pod request has not been successfully pulled with the given credentials
70
+
(or successfully pulled in the past with no credentials), then the kubelet will consider the credentials unauthenticated.
71
+
Thus even if the image is present, it may still be reauthenticated.
72
+
- For `IfNotPresent` images, the kubelet will re-pull the image
73
+
- For `Never` images, the image creation will fail
77
74
78
75
This will be enforced for both policies regardless of whether the image is already present when the kubelet starts. For an image to be allowed to be used,
79
76
the kubelet must be aware of its credentials.
80
77
81
-
This policy change will have no affect on the `Always``ImagePullPolicy`.
78
+
This behavior mirrors what would happen if an image was not present on the node (as opposed to present, but yet to be authorized with the credentials present).
82
79
83
-
This new feature will be enabled with a feature gate in alpha, as well as a kubelet configuration
80
+
This new feature will be enabled with a feature gate, as well as a kubelet configuration
84
81
field `pullImageSecretRecheck`. Another kubelet configuration field `pullImageSecretRecheckPeriod` will be added
85
82
to allow an admin to configure the recheck period. A recheck period may be used to periodically clean the cache, or ensure
0 commit comments