Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: transmit more information to remote snapshotter #8865

Open
sctb512 opened this issue Jul 25, 2023 · 4 comments
Open

proposal: transmit more information to remote snapshotter #8865

sctb512 opened this issue Jul 25, 2023 · 4 comments

Comments

@sctb512
Copy link
Member

sctb512 commented Jul 25, 2023

What is the problem you're trying to solve

We tried to find the best way for the remote snapshotter to get auth, but ultimately think it should get auth when it needs other than stored in memory or other space.

Since k8s 1.8, the node authorizer has been proposed, which has the ability to Get secrets used by pods scheduled on that node. So remote snapshotter can use kubeconfig, which is used by kubelet, to get imagePullSecret when it needs it. When we do this, all we need is pod.Namespace and pod.Spec.imagePullSecret.Name.

Related to issue Change List to Get when sync imagePullSecret from API server

Describe the solution you'd like

So I wonder if the containerd can pass more information to the remote snapshotter? For instance, pod.Namespace and pod.Spec.imagePullSecret.Name.

Additional context

No response

@Jenkins-J
Copy link
Contributor

Is it possible to pass pod.Namespace and pod.Spec.imagePullSecret.Name to the snapshotter using user-defined labels, like in the Remote Snapshotter documentation, for this case?

@sctb512
Copy link
Member Author

sctb512 commented Aug 3, 2023

Is it possible to pass pod.Namespace and pod.Spec.imagePullSecret.Name to the snapshotter using user-defined labels, like in the Remote Snapshotter documentation, for this case?

Yes, I believe it's simple to implement this feature. I'm wondering if we can add this to containerd to automatically add these labels before calling remote snapshotter interface.

@Jenkins-J
Copy link
Contributor

I've looked into this a little more. I do not think that containerd has access to the name of the image pull secret. As far as I know, it seems that kubelet first uses the image pull secret name to access the credentials, then passes down the credentials (not the image pull secret name) to containerd through the PullImageRequest when calling the CRI API (Please correct me if I'm wrong here). I'm not sure if this changes the approach.

@sctb512
Copy link
Member Author

sctb512 commented Aug 30, 2023

I've looked into this a little more. I do not think that containerd has access to the name of the image pull secret. As far as I know, it seems that kubelet first uses the image pull secret name to access the credentials, then passes down the credentials (not the image pull secret name) to containerd through the PullImageRequest when calling the CRI API (Please correct me if I'm wrong here). I'm not sure if this changes the approach.

Yes, I have tried to implement this feature but encountered the same problem as you mentioned.

Need more consideration about how the remote snapshotter updates/restores credentials.
In theory, only image related information should be sent to the remote snapshotter. Without a remote snapshotter, containerd will return an error and the kubelet will retry with the new credential if it has expired. However, for remote snapshotter, the container has been started and can not return an error to kubelet this time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants