Skip to content

[WIP] Document KubeletEnsureSecretPulledImages feature #43454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[WIP] Document KubeletEnsureSecretPulledImages feature #43454

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions content/en/docs/reference/command-line-tools-reference/feature-gates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ For a reference to old feature gates that are removed, please refer to
| `KMSv2KDF` | `false` | Beta | 1.28 | |
| `KubeProxyDrainingTerminatingNodes` | `false` | Alpha | 1.28 | |
| `KubeletCgroupDriverFromCRI` | `false` | Alpha | 1.28 | |
| `KubeletEnsureSecretPulledImages` | `false` | Alpha | 1.29 | |
Copy link
Contributor

@tengqm tengqm Oct 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each and every gate needs a description that can be found at the end of this file, in alphabeta order.

| `KubeletInUserNamespace` | `false` | Alpha | 1.22 | |
| `KubeletPodResourcesDynamicResources` | `false` | Alpha | 1.27 | |
| `KubeletPodResourcesGet` | `false` | Alpha | 1.27 | |
Expand Down Expand Up @@ -584,6 +585,12 @@ Each feature gate is designed for enabling/disabling a specific feature:
the `cgroupDriver` configuration setting.
See [Configuring a cgroup driver](/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver)
for more details.
- `KubeletEnsureSecretPulledImages`: add support in kubelet for the `pullIfNotPresent`
Copy link
Contributor

@sftim sftim Oct 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `KubeletEnsureSecretPulledImages`: add support in kubelet for the `pullIfNotPresent`
- `KubeletEnsureSecretPulledImages`: change the behavior of the `IfNotPresent`

image pull policy, for ensuring images pulled with pod `imagePullSecrets` are re-authenticated
for other pods that do not have the same `imagePullSecret`/auths used to successfully pull
the images in the first place.
Comment on lines +590 to +591
Copy link
Contributor

@sftim sftim Oct 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for other pods that do not have the same `imagePullSecret`/auths used to successfully pull
the images in the first place.
for other pods that do not have the same `imagePullSecret` authentication information that was used
to retrieve that Pod's container image(s) in the first place.

This policy change will have no affect on the pull always image pull policy or for images
that are preloaded.
Comment on lines +592 to +593
Copy link
Contributor

@sftim sftim Oct 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This policy change will have no affect on the pull always image pull policy or for images
that are preloaded.
Enabling this feature gate has no effect on Pods that use the `Always` image pull policy, nor for the
`Never` image pull policy or for container images that are preloaded onto the target node.

- `KubeletInUserNamespace`: Enables support for running kubelet in a
{{<glossary_tooltip text="user namespace" term_id="userns">}}.
See [Running Kubernetes Node Components as a Non-root User](/docs/tasks/administer-cluster/kubelet-in-userns/).
Expand Down