search

enix / kube-image-keeper

kuik is a container image caching system for Kubernetes
MIT License
452 stars 36 forks source link

Image caching failed caused by missing pull secret from deleted namespace #429

Open aDisplayName opened 4 days ago

aDisplayName commented 4 days ago

kube-image-keeper: v1.10.0

Here is our setup:

  1. Deploy kube-image-keeper with latest v1.10.0
  2. Deploy a deployment using an image from a private gcr registry: gcr.io/myproject/test-image:0.0.1, while providing image pull secret "gcr-myproject-pullsecret" in namespace "test-1"
  3. After the image gcr-io-myproject-test-image-0.0.1 is fully cached, delete the deployment, and delete the namespace "test-1"
  4. Deploy a deployment using image: gcr.io/myproject/test-image:0.0.2, using the same image pull secret content in namespace "test-2".
  5. The pod will be failed to be deployed, because the Repository.kuik.enx.io object is still referencing to the non-existing "test-1/gcr-myproject-pullsecret` pull secret when caching the new image tag for the same repository.

Our clusters are not hosted on the cloud so we don't know if the recent PR #428 gonna help us. Question: Is there a way to specify / inject the global pull secret for the entire cluster for repository using a certain prefixes? We don't mind to inject to kuik deployment if it is allowed.

paullaffitte commented 18 hours ago

Hello,

428 will not help you on this one. And indeed its a bug, I think it will not be to hard to fix, I will try to work on it during this week.

Concerning your question, there is currently no way to do what you ask. You still can use pull secrets attached to a service account and it will be used for pods using this service account, but I understand that it doesn't exactly achieve what you try to do. #385 asked for a similar feature, and while adding an option of a global ImagePullSecret is not something we intend to do, I find the idea of injecting pull secrets for repositories with a specific prefix interesting. But I'm still not sure if it is in the scope of kuik. Maybe a kyverno policy would be enough?

For instance something like this (generated with ChatGPT):

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-pull-secret-to-cachedimage
spec:
  rules:
    - name: add-pull-secret
      match:
        resources:
          kinds:
            - CachedImage
      preconditions:
        all:
          - key: "{{ request.object.metadata.labels['kuik.enix.io/repository'] }}"
            operator: In
            value: ["registry.k8s.io-kube-state-metrics-kube-state-metrics"]
      mutate:
        patchStrategicMerge:
          spec:
            imagePullSecrets:
              - name: my-pull-secret # Replace with the desired pull secret name