Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

imagePullSecret injection breaks use of ServiceAccount imagePullSecret #31

Closed
kd7lxl opened this issue Jan 8, 2021 · 0 comments
Closed

imagePullSecret injection breaks use of ServiceAccount imagePullSecret #31

kd7lxl opened this issue Jan 8, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@kd7lxl
Copy link
Collaborator

kd7lxl commented Jan 8, 2021
edited
Loading

It's common for pods to inherit their image pull secrets from their service account. Many existing deployments depend on this behavior. The service account admission controller only injects these secrets when the pod does not yet have any image pull secrets:
https://github.com/kubernetes/kubernetes/blob/c6f7fbcfbc69120934ed87c5ac701bd1890347a3/plugin/pkg/admission/serviceaccount/admission.go#L108

Tugger unconditionally injects its own image pull secret, which defeats injection of the service account image pull secret.

tugger/cmd/tugger/main.go

Lines 200 to 208 in 17c4419

// Add image pull secret and label
patches = append(patches, patch{
Op: "add",
Path: "/spec/imagePullSecrets",
Value: []v1.LocalObjectReference{
v1.LocalObjectReference{
Name: registrySecretName,
},
}},

The result is that the image pull secret the pod manifest author intended to apply is not applied, and in many cases this leads to image pull errors.

#2 would partially solve this by ensuring the secret referenced by Tugger exists, but there are cases where this could still lead to image pull errors. For example, if the pod has multiple containers (sidecars) that require various credentials, the secret referenced by Tugger may not be able to pull all of the images, but will have replaced all the image pull secrets provided by the service account.

There are a few possible solutions to this, and they're not mutually exclusive:

  • Tugger imagepullsecret injection could be optional. When it's disabled, the user would be responsible for providing image pull secrets that can pull from the private repositories swapped in by Tugger, just like they're responsible for providing the secret referenced by Tugger now (until Add capability to generate ImagePullSecret from registry credentials #2 is completed).
  • Tugger could mutate ServiceAccounts to add its imagepullsecret.
  • Tugger could duplicate the algorithm used by the ServiceAccount admission controller to copy all ServiceAccount imagePullSecrets into the pod before injecting its own to the list.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kd7lxl