Ensure secret pulled images

[adisky]

Enhancement Description

• One-line enhancement description (can be used as a release note): Ensure secure image access with IfNotPresent image pull policy
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2535-ensure-secret-pulled-images
• Discussion Link: https://docs.google.com/document/d/1Ne57gvidMEWXR70OxxnRkYquAoMpt56o75oZtg-OeBg/edit#heading=h.4oysqary051o
  Kubelet should enforce access to images after they've already been pulled to a node kubernetes#18787
• Primary contact (assignee): @stlaz @mikebrow @haircommander @pacoxu
• Responsible SIGs: Node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.33
  • Beta release target (x.y): 1.35
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • v1.29 #2535:ensure secret pulled images - move kep targets; add persist #3532. (ensure secret pulled images #1608 merged)
    • v1.30 kep-2535: not persist on disk and add PullImageSecretRecheckDuration flag to define different behaviors #4431 (update based on sig-node meeting discussion and PR comments)
    • v1.31 KEP-2535: retarget alpha in 1.31 and update to readd the disk check  #4693
    • v1.32 KEP-2535: update the KEP with on-by-default strategy #4789
    • v1.33 KEP-2535: bump ensure secret images alpha/latest-milestone to 1.33 #5026
  • Code (k/k) update PR(s):
    • Multi-tenancy in accessing node images via Pod API kubernetes#128152
    • first try Ensure secret pulled images kubernetes#94899
    • kubelet: ensure secret pulled image kubernetes#114847
    • Implement KEP-2535 - Ensure secret pulled images feature kubernetes#125817
  • Docs (k/website) update PR(s):
    • KEP 2535: Ensure Secret Pulled Images website#49886
    • KEP-2535 (Ensure secret pulled secrets) docs placeholder website#48491
    • [WIP] Document KubeletEnsureSecretPulledImages feature website#43454
    • blog: ensure secret pulled images website#45293
    • Blog on "Ensure secret pulled images" feature website#47053
• Beta 1.35
  • KEP (k/enhancements) update PR(s):
    • 1.34 and PRR review: KEP-2535: (Ensure Secret Pulled Images): add metrics, bump to beta in 1.34 #5371
    • KEP-2535: update beta/latest milestones to 1.35 #5586
  • Code (k/k) update PR(s):
    • kubelet: add metrics for EnsureImageExists kubernetes#132644
    • KEP-2535: move objects to beta, add storage version migration to filesystem cache kubernetes#132579
    • Enable image pull credential verification with service account–based credential providers kubernetes#132771
    • kubelet: add metrics related to image pull records kubernetes#132812
    • In-memory caching for node image access multitenancy kubernetes#131882
    • Benchmarks for node image access multitenancy kubernetes#131864
  • Docs (k/website) update(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/sig node

[mikebrow]

Thx @adisky

[ehashman]

/stage stable
/milestone v1.22

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

[JamesLaverack]

Hey @mikebrow, 1.22 Enhancements Lead here. 👋

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

@ehashman That should be fine so long as SIG Node are happy with that. (cc @dchen1107 @derekwaynecarr)

I'm aware there's an open PR for your KEP open, but I'd just like to highlight a few things. By enhancements freeze (23:59:59 PST on Thursday 13th May) we require the following:

• Your KEP must be merged, including both a README.md and a kep.yaml these should be using the latest templates. For example the directory name should include the enhancement number (2535, in this case). This should be fully complete, including graduation criteria and a test plan.
• We require an approved production readiness review. Please see the PRR documentation for further details.

[JamesLaverack]

Hi @mikebrow, 1.22 Enhancements Lead here. 👋 With enhancements freeze now in effect we are removing this enhancement from the 1.22 release.

Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks!
/milestone clear

[mikebrow]

exception was filed last week.. no response yet. KEP updated to latest format and to resolve review questions (mainly added feature gate and switch to alpha vs going directly to GA. Code PR needs final reviews to go over the added feature gate.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale