Ensure secret pulled images

[adisky]

Enhancement Description

• One-line enhancement description (can be used as a release note): Ensure secure image access with IfNotPresent image pull policy
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2535-ensure-secret-pulled-images
• Discussion Link: https://docs.google.com/document/d/1Ne57gvidMEWXR70OxxnRkYquAoMpt56o75oZtg-OeBg/edit#heading=h.4oysqary051o
  Kubelet should enforce access to images after they've already been pulled to a node kubernetes#18787
• Primary contact (assignee): @mikebrow @haircommander @pacoxu @stlaz
• Responsible SIGs: Node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.33
  • Beta release target (x.y):
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • v1.29 #2535:ensure secret pulled images - move kep targets; add persist #3532. (ensure secret pulled images #1608 merged)
    • v1.30 kep-2535: not persist on disk and add PullImageSecretRecheckDuration flag to define different behaviors #4431 (update based on sig-node meeting discussion and PR comments)
    • v1.31 KEP-2535: retarget alpha in 1.31 and update to readd the disk check  #4693
    • v1.32 KEP-2535: update the KEP with on-by-default strategy #4789
    • v1.33 KEP-2535: bump ensure secret images alpha/latest-milestone to 1.33 #5026
  • Code (k/k) update PR(s):
    • Multi-tenancy in accessing node images via Pod API kubernetes#128152
    • first try Ensure secret pulled images kubernetes#94899
    • kubelet: ensure secret pulled image kubernetes#114847
    • Implement KEP-2535 - Ensure secret pulled images feature kubernetes#125817
  • Docs (k/website) update PR(s):
    • KEP 2535: Ensure Secret Pulled Images website#49886
    • KEP-2535 (Ensure secret pulled secrets) docs placeholder website#48491
    • [WIP] Document KubeletEnsureSecretPulledImages feature website#43454
    • blog: ensure secret pulled images website#45293
    • Blog on "Ensure secret pulled images" feature website#47053

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/sig node

[mikebrow]

Thx @adisky

[ehashman]

/stage stable
/milestone v1.22

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

[JamesLaverack]

Hey @mikebrow, 1.22 Enhancements Lead here. 👋

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

@ehashman That should be fine so long as SIG Node are happy with that. (cc @dchen1107 @derekwaynecarr)

I'm aware there's an open PR for your KEP open, but I'd just like to highlight a few things. By enhancements freeze (23:59:59 PST on Thursday 13th May) we require the following:

• Your KEP must be merged, including both a README.md and a kep.yaml these should be using the latest templates. For example the directory name should include the enhancement number (2535, in this case). This should be fully complete, including graduation criteria and a test plan.
• We require an approved production readiness review. Please see the PRR documentation for further details.

[JamesLaverack]

Hi @mikebrow, 1.22 Enhancements Lead here. 👋 With enhancements freeze now in effect we are removing this enhancement from the 1.22 release.

Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks!
/milestone clear

[mikebrow]

exception was filed last week.. no response yet. KEP updated to latest format and to resolve review questions (mainly added feature gate and switch to alpha vs going directly to GA. Code PR needs final reviews to go over the added feature gate.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[salaxander]

/remove-lifecycle stale
/milestone v1.23

[Priyankasaggu11929]

Hi @adisky! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need the following:

• update issue description with the latest Enhancements target
• update the KEP file for the current milestone & get the PR ensure secret pulled images #1608 merged

---

Also, could we please add some more information in the Test Plan section? Currently, the section is pointing towards checking a PR, could we add some relevant links or more pointers or have the tests specified inline? Thank you.

### Test Plan

See PR (exhaustive unit tests added for alpha covering feature gate on and off for new and modified functions)

Thank you!

[adisky]

Hi @adisky! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need the following:

• update issue description with the latest Enhancements target
• update the KEP file for the current milestone & get the PR ensure secret pulled images #1608 merged

Also, could we please add some more information in the Test Plan section? Currently, the section is pointing towards checking a PR, could we add some relevant links or more pointers or have the tests specified inline? Thank you.

### Test Plan

See PR (exhaustive unit tests added for alpha covering feature gate on and off for new and modified functions)

Thank you!

cc @mikebrow

[mikebrow]

@adisky @Priyankasaggu11929 I updated the KEP adding a description for the test plan and links.. and updated the KEP's alpha target from 1.22 to 1.23.

[Priyankasaggu11929]

Thank you so much for adding the changes, @mikebrow.

Just to confirm once:

• As you mentioned above, this enhancement is targeting at stage: alpha, so is it right to change the stage: stable to stage: alpha on this issue?
• I see the changes in the "Test Plan" section are updated.
• But the commit changes for updating the KEP's alpha target & the latest-milestone didn't come through.

Could you please confirm this part. Thanks once again. :)

[mikebrow]

* As you mentioned above, this enhancement is targeting at `stage: alpha`, so is it right to change the `stage: stable` to `stage: alpha` on this issue?

Yes, it is right to change the stage to alpha.

* But the [commit changes for updating the KEP's alpha target & the latest-milestone](https://github.com/kubernetes/enhancements/pull/1608/files#diff-b0309577eac7d6f66d23c210698d6f71cfa45c5af46b20d27e2d5c867fcf6de1R20-R25) didn't come through.

Forgot to hit the save button on those changes :-) Fixed now. Cheers, Mike

[Priyankasaggu11929]

Thanks for the changes @mikebrow :)

[Priyankasaggu11929]

Hello @mikebrow, just checking in as we approach 1.23 enhancements freeze tonight (09/09/2021, 23:59 PDT). Looks like the PR #1608 has got both lgtm, & approve label. But there's an hold on the merge.

Is it intended or can be removed to go ahead.? As with the PR merged, this enhancements will be ready for the 1.23 enhancements freeze tonight.

Thank you!

[Priyankasaggu11929]

Just an update, the don-not-merge/hold label was removed manually since all the requirements were met.

The KEP is now tracked for the kubernetes 1.23 release. Thank you so much @mikebrow.

[liggitt]

/label lead-opted-in
/milestone v1.33
Targeting merge as alpha in 1.33

[bianbbc87]

Hello @haircommander @mikebrow @pacoxu 👋, v1.33 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th February 2025 / 19:00 PDT Thursday 13th February 2025.

This enhancement is targeting stage alpha for v1.33 (correct me, if otherwise)

Here’s where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.33. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria.
• KEP has submitted a production readiness review request for approval and has a reviewer assigned.
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as Tracked for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[pacoxu]

• KEP status is marked as implementable for latest-milestone: v1.33.

@stlaz updated the KEP status in #5026.

[rayandas]

Hello @haircommander @mikebrow @pacoxu 👋, v1.33 Docs Lead here.

Does this enhancement work planned for v1.33 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.33 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 27th February 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[dshebib]

@rayandas Doc Draft PR: kubernetes/website#49886

[rayandas]

Thanks @dshebib

[Udi-Hofesh]

Hey @mikebrow, @haircommander, @pacoxu, and @stlaz 👋 -- this is Udi (@Udi-Hofesh) from the 1.33 Communications Team!

For the 1.33 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features that fall into (but are not limited to) the following categories:

• This introduces some breaking change(s)
• This has significant impacts and/or implications to users
• ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail 🎉

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Wednesday, 5th March, 2025? For more information about writing a blog, please find the blog contribution guidelines 📚

Tip

Some timelines to keep in mind:

• 02:00 UTC Wednesday, 5th March, 2025: Feature blog PR freeze
• Monday, 7th April, 2025: Feature blogs ready for review
• You can find more in the release document

Note

In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[bianbbc87]

Hey again @adisky 👋, v1.33 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Friday 21st March 2025 / 19:00 PDT Thursday 20th March 2025.

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs need to be merged before code freeze (and we need to update the Issue description to include all the related PRs of this KEP):

• Multi-tenancy in accessing node images via Pod API kubernetes#128152

If you anticipate missing code freeze, you can file an exception request in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.

The status of this enhancement is marked as At risk for code freeze.

As always, we are here to help if any questions come up. Thanks!

[Udi-Hofesh]

Hi @mikebrow, @haircommander, @pacoxu, and @stlaz 👋, 1.33 Communications Team here again!

This is a gentle reminder for the feature blog deadline mentioned above, which is 02:00 UTC Wednesday, 5th March, 2025. This is in just several hours! To opt in, please let us know and open a Feature Blog placeholder PR against k/website by the deadline. If you have any questions, please feel free to reach out to us!

Tip

Some timeline to keep in mind:

• 02:00 UTC Wednesday, 5th March, 2025: Feature blog PR freeze
• Monday, 7th April, 2025: Feature blogs ready for review
• You can find more in the release document

Note

In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[bianbbc87]

Hello @adisky 👋, v1.33 Enhancements team here.

With all the implementation (code-related) PRs merged per the issue description:

• Multi-tenancy in accessing node images via Pod API kubernetes#128152

This enhancement is now marked as Tracked for code freeze for the v1.33 Code Freeze!

Additionally, please let me know if there are any other PRs in k/k that we should track for this KEP, so that we can maintain accurate status.

Please note that KEPs targeting stable need to have the status field marked as implemented in the kep.yaml file after code PRs are merged and the feature gates are removed.