Ensure secret pulled images

[adisky]

Enhancement Description

• One-line enhancement description (can be used as a release note): Ensure secure image access with IfNotPresent image pull policy
• Kubernetes Enhancement Proposal: ensure secret pulled images #1608
• Discussion Link: https://docs.google.com/document/d/1Ne57gvidMEWXR70OxxnRkYquAoMpt56o75oZtg-OeBg/edit#heading=h.4oysqary051o
  Kubelet should enforce access to images after they've already been pulled to a node kubernetes#18787
• Primary contact (assignee): @mikebrow
• Responsible SIGs: Node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.24
  • Beta release target (x.y):
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s): ensure secret pulled images #1608
  • Code (k/k) update PR(s): Ensure secret pulled images kubernetes#94899
  • Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/sig node

[mikebrow]

Thx @adisky

[ehashman]

/stage stable
/milestone v1.22

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

[JamesLaverack]

Hey @mikebrow, 1.22 Enhancements Lead here. 👋

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

@ehashman That should be fine so long as SIG Node are happy with that. (cc @dchen1107 @derekwaynecarr)

I'm aware there's an open PR for your KEP open, but I'd just like to highlight a few things. By enhancements freeze (23:59:59 PST on Thursday 13th May) we require the following:

• Your KEP must be merged, including both a README.md and a kep.yaml these should be using the latest templates. For example the directory name should include the enhancement number (2535, in this case). This should be fully complete, including graduation criteria and a test plan.
• We require an approved production readiness review. Please see the PRR documentation for further details.

[JamesLaverack]

Hi @mikebrow, 1.22 Enhancements Lead here. 👋 With enhancements freeze now in effect we are removing this enhancement from the 1.22 release.

Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks!
/milestone clear

[mikebrow]

exception was filed last week.. no response yet. KEP updated to latest format and to resolve review questions (mainly added feature gate and switch to alpha vs going directly to GA. Code PR needs final reviews to go over the added feature gate.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[salaxander]

/remove-lifecycle stale
/milestone v1.23

[Priyankasaggu11929]

Hi @adisky! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need the following:

• update issue description with the latest Enhancements target
• update the KEP file for the current milestone & get the PR ensure secret pulled images #1608 merged

---

Also, could we please add some more information in the Test Plan section? Currently, the section is pointing towards checking a PR, could we add some relevant links or more pointers or have the tests specified inline? Thank you.

### Test Plan

See PR (exhaustive unit tests added for alpha covering feature gate on and off for new and modified functions)

Thank you!

[adisky]

Hi @adisky! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need the following:

• update issue description with the latest Enhancements target
• update the KEP file for the current milestone & get the PR ensure secret pulled images #1608 merged

Also, could we please add some more information in the Test Plan section? Currently, the section is pointing towards checking a PR, could we add some relevant links or more pointers or have the tests specified inline? Thank you.

### Test Plan

See PR (exhaustive unit tests added for alpha covering feature gate on and off for new and modified functions)

Thank you!

cc @mikebrow

[mikebrow]

@adisky @Priyankasaggu11929 I updated the KEP adding a description for the test plan and links.. and updated the KEP's alpha target from 1.22 to 1.23.

[Priyankasaggu11929]

Thank you so much for adding the changes, @mikebrow.

Just to confirm once:

• As you mentioned above, this enhancement is targeting at stage: alpha, so is it right to change the stage: stable to stage: alpha on this issue?
• I see the changes in the "Test Plan" section are updated.
• But the commit changes for updating the KEP's alpha target & the latest-milestone didn't come through.

Could you please confirm this part. Thanks once again. :)

[mikebrow]

* As you mentioned above, this enhancement is targeting at `stage: alpha`, so is it right to change the `stage: stable` to `stage: alpha` on this issue?

Yes, it is right to change the stage to alpha.

* But the [commit changes for updating the KEP's alpha target & the latest-milestone](https://github.com/kubernetes/enhancements/pull/1608/files#diff-b0309577eac7d6f66d23c210698d6f71cfa45c5af46b20d27e2d5c867fcf6de1R20-R25) didn't come through.

Forgot to hit the save button on those changes :-) Fixed now. Cheers, Mike

[Priyankasaggu11929]

Thanks for the changes @mikebrow :)

[Priyankasaggu11929]

Hello @mikebrow, just checking in as we approach 1.23 enhancements freeze tonight (09/09/2021, 23:59 PDT). Looks like the PR #1608 has got both lgtm, & approve label. But there's an hold on the merge.

Is it intended or can be removed to go ahead.? As with the PR merged, this enhancements will be ready for the 1.23 enhancements freeze tonight.

Thank you!

[Priyankasaggu11929]

Just an update, the don-not-merge/hold label was removed manually since all the requirements were met.

The KEP is now tracked for the kubernetes 1.23 release. Thank you so much @mikebrow.

[k8s-ci-robot]

@mikebrow: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pacoxu]

/remove-lifecycle rotten

[marosset]

/milestone v1.26
/label lead-opted-in
(I'm doing this on behalf of @ruiwen-zhao / SIG-node)

[rhockenbury]

Hello @mikebrow 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage alpha for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.26
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

• Update the test plan section to match the latest template
• Merge up PR #2535:ensure secret pulled images - move kep targets; add persist #3532

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[rhockenbury]

/label tracked/yes
/remove-label tracked/no

[derekwaynecarr]

/remove-label lead-opted-in

design consensus is not yet reached on this feature, and code implementation will not be worked on in 1.26.

[rhockenbury]

/label tracked/no
/remove-label tracked/yes
/milestone clear

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[pacoxu]

/remove-lifecycle stale
I will take a deep look into the KEP and get an update this week or next based on the discussion in #3532.

[pacoxu]

/assign

[sftim]

@adisky - the issue description should link to https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2535-ensure-secret-pulled-images/README.md - have you got the time to make that update?

At the moment the link is to PR #1608 which is close but not quite right.

[SergeyKanzhelev]

@pacoxu do you plan to work on this for 1.28?

[pacoxu]

@pacoxu do you plan to work on this for 1.28?

Yes. The top priority for me in sig-node tasks. 😄

[pacoxu]

I updated kubernetes/kubernetes#114847 PR to implement the KEP.

• I would like to add some e2e test for this feature in this release or next.