-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blog on "Ensure secret pulled images" feature #47053
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
Hello, I'm Rashan from the 1.31 Release comms team. I'm reaching out with a reminder that the blog ready for review deadline is July 26, 2024. Please let me know how we can help! |
gate Signed-off-by: Sai Ramesh Vanka <[email protected]>
a3c4edf
to
079672c
Compare
Hey @rashansmith , Could you review the contents of this blog post and give some suggestions on it? |
will do! |
/hold OK to unhold once Kubernetes v1.31 has been released. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a task rather than post-release publicity.
Have a look at some of the other blog articles that we've gone out; I think you'll see they tend to take a different angle.
You can also link to the documentation about KubeletEnsureSecretPulledImages.
@@ -0,0 +1,82 @@ | |||
--- | |||
layout: blog | |||
title: "Kubernetes: 1.31 KubeletEnsureSecretPulledImages feature gate" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
title: "Kubernetes: 1.31 KubeletEnsureSecretPulledImages feature gate" | |
title: "Kubernetes 1.31: Additional Security Measures For Container Image Pulls" |
BTW @rashansmith the blog reviewers would typically review, but it's great if you're willing to help line up a reviewer. This is open source so you are of course welcome to do your own reviewing. |
# Scenario: Enable KubeletEnsureSecretPulledImages FeatureGate | ||
|
||
## Objective | ||
Enable a new feature gate `KubeletEnsureSecretPulledImages` and create two pods that pull same image from a private registry (for ex: `quay.io`) with one pod configured with valid image pull credentials and another having invalid image pull credentials. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enable a new feature gate `KubeletEnsureSecretPulledImages` and create two pods that pull same image from a private registry (for ex: `quay.io`) with one pod configured with valid image pull credentials and another having invalid image pull credentials. | |
Enable a new feature gate `KubeletEnsureSecretPulledImages` and create two pods that pull same | |
image from a private registry (for ex: `quay.io`) with one pod configured with valid image | |
pull credentials and another having invalid image pull credentials. |
Modify the kubelet configuration by setting the `KubeletEnsureSecretPulledImages` feature gate to `false` and verify both the pods are `Running` successfully which is the default/current behavior. | ||
|
||
### Conclusion | ||
As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be leveraged by any another pod on the same node even without a valid image pull seceret/credentials. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be leveraged by any another pod on the same node even without a valid image pull seceret/credentials. | |
As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be | |
leveraged by any another pod on the same node even without a valid image pull seceret/credentials. |
|
||
### Conclusion | ||
As of today, if a pod pulls an image from a private registry with valid credentials on to a node, the same can be leveraged by any another pod on the same node even without a valid image pull seceret/credentials. | ||
This newly introduced feature would help the cluster admin to have a better access control in terms of multi tenant scenarios by allowing the access of an image only incase of having a valid credentials even if the image is already present on the node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This newly introduced feature would help the cluster admin to have a better access control in terms of multi tenant scenarios by allowing the access of an image only incase of having a valid credentials even if the image is already present on the node. | |
This newly introduced feature would help the cluster admin to have a better access control | |
in terms of multi tenant scenarios by allowing the access of an image only incase of having | |
a valid credentials even if the image is already present on the node. |
As @sftim mentioned, this content format is not looking like blog post publicity. WDYT? |
@sairameshv / @sftim : Please may I know the status of this blogpost? Are we considering pushing it forward to a later date? |
Hey @divya-mohan0209 , There is a new PR for the KEP proposing changes to this feature and that may require a new PR based on the latest behavior. /close |
@sairameshv: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Place holder PR for a blog on the Ensure secret pulled images feature
Reference: kubernetes/enhancements#2535
/cc @haircommander