Authenticated registry mirror support for image pulls

[saschagrunert]

Enhancement Description

• One-line enhancement description (can be used as a release note): Added authenticated registry mirror support for image pulls
• Kubernetes Enhancement Proposal: TBD
• Discussion Link: TBD
• Primary contact (assignee): @saschagrunert
• Responsible SIGs: SIG Node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): v1.31
  • Beta release target (x.y): TBD
  • Stable release target (x.y): TBD
• Alpha
  • KEP (k/enhancements) update PR(s): Add KEP for authenticated registry mirror support #4527
  • Code (k/k) update PR(s):
  • Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

Summary

Right now we only filter for one matching credential secret during an image pull within the kubelet: https://github.com/kubernetes/kubernetes/blob/c98b388a847f84019609f6422b4ab00b89c4603c/pkg/kubelet/kuberuntime/kuberuntime_image.go#L38-L56

The kubelet does not know anything about the registry configuration on a node. Therefore, we should just pass all authentication credentials to the lower level container runtime to decide which one to choose for pulling the image. This requires a CRI change to be able to pass multiple credentials: https://github.com/kubernetes/kubernetes/blob/c98b388a847f84019609f6422b4ab00b89c4603c/pkg/kubelet/kuberuntime/kuberuntime_image.go#L38-L56

cc @mrunalp @haircommander @rphillips

[saschagrunert]

/sig node

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[SergeyKanzhelev]

@saschagrunert what do you think of teaching kubelet about mirrors and make the runtime just pull what's asked? It will require to pass the original image name as a "formal" image name.

[saschagrunert]

@saschagrunert what do you think of teaching kubelet about mirrors and make the runtime just pull what's asked? It will require to pass the original image name as a "formal" image name.

Registry mirror implementations vary between runtime implementations. We could add a CRI call to resolve all available mirrors per image pull request. The result can be used to lookup the credentials.

[saschagrunert]

@kubernetes/sig-node-feature-requests can we consider this one for 1.31? If so, then I'm happy to outline the KEP.

[mrunalp]

@saschagrunert 👍

[SergeyKanzhelev]

so the idea is to pass all credentials rather than move the mirror logic up to the kubelet? Will the KEP also include authentication of layers pulling when layers are in different registry (see GHSA-742w-89gc-8m9c).

[saschagrunert]

so the idea is to pass all credentials rather than move the mirror logic up to the kubelet?

Yes

Will the KEP also include authentication of layers pulling when layers are in different registry (see GHSA-742w-89gc-8m9c).

I assume this should be handled by the runtime, which then has all available credentials at hand.

[haircommander]

@saschagrunert do you hope to make progress on this in 1.32?

[saschagrunert]

@saschagrunert do you hope to make progress on this in 1.32?

Hm, I would not say it's a high priority but we can give it a try.

[SergeyKanzhelev]

@saschagrunert do you hope to make progress on this in 1.32?

Hm, I would not say it's a high priority but we can give it a try.

As it's designed in the associated PR, it will require passing too much context all the time. Also may want to start passing the wildecards for the domain names, at which stage it is easier to ask user to configure the credential provider for the runtime.

Is there an appetite to move mirror config to the kubelet? It will require new CRI APIs which will allow to specify the "display name" for the image. But overall it will be much cleaner design I think