Ensure secret pulled images

[adisky]

Enhancement Description

• One-line enhancement description (can be used as a release note): Ensure secure image access with IfNotPresent image pull policy
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2535-ensure-secret-pulled-images
• Discussion Link: https://docs.google.com/document/d/1Ne57gvidMEWXR70OxxnRkYquAoMpt56o75oZtg-OeBg/edit#heading=h.4oysqary051o https://github.com/kubernetes/kubernetes/issues/18787
• Primary contact (assignee): @stlaz @mikebrow @haircommander @pacoxu
• Responsible SIGs: Node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.33
  • Beta release target (x.y): 1.34
  • Stable release target (x.y):
• [x] Alpha
  • [x] KEP (k/enhancements) update PR(s):
    • [x] v1.29 https://github.com/kubernetes/enhancements/pull/3532. (#1608 merged)
    • [x] v1.30 https://github.com/kubernetes/enhancements/pull/4431 (update based on sig-node meeting discussion and PR comments)
    • [x] v1.31 https://github.com/kubernetes/enhancements/pull/4693
    • [x] v1.32 https://github.com/kubernetes/enhancements/pull/4789
    • [x] v1.33 https://github.com/kubernetes/enhancements/pull/5026
  • [x] Code (k/k) update PR(s):
    • [x] https://github.com/kubernetes/kubernetes/pull/128152
    • ~~first try https://github.com/kubernetes/kubernetes/pull/94899/~~
    • ~~https://github.com/kubernetes/kubernetes/pull/114847~~
    • ~~https://github.com/kubernetes/kubernetes/pull/125817~~
  • [x] Docs (k/website) update PR(s):
    • [x] https://github.com/kubernetes/website/pull/49886
    • ~~https://github.com/kubernetes/website/pull/48491~~
    • ~~https://github.com/kubernetes/website/pull/43454~~
    • ~~https://github.com/kubernetes/website/pull/45293~~
    • ~~https://github.com/kubernetes/website/pull/47053~~
• [ ] Beta
  • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/5371
  • [ ] Code (k/k) update PR(s):
  • [ ] Docs (k/website) update(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/sig node

[mikebrow]

Thx @adisky

[ehashman]

/stage stable /milestone v1.22

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

[JamesLaverack]

Hey @mikebrow, 1.22 Enhancements Lead here. 👋

Note: Since this is a bugfix Mike would like to target graduation directly to stable.

@ehashman That should be fine so long as SIG Node are happy with that. (cc @dchen1107 @derekwaynecarr)

I'm aware there's an open PR for your KEP open, but I'd just like to highlight a few things. By enhancements freeze (23:59:59 PST on Thursday 13th May) we require the following:

• Your KEP must be merged, including both a README.md and a kep.yaml these should be using the latest templates. For example the directory name should include the enhancement number (2535, in this case). This should be fully complete, including graduation criteria and a test plan.
• We require an approved production readiness review. Please see the PRR documentation for further details.

[JamesLaverack]

Hi @mikebrow, 1.22 Enhancements Lead here. :wave: With enhancements freeze now in effect we are removing this enhancement from the 1.22 release.

Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks! /milestone clear

[mikebrow]

exception was filed last week.. no response yet. KEP updated to latest format and to resolve review questions (mainly added feature gate and switch to alpha vs going directly to GA. Code PR needs final reviews to go over the added feature gate.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[salaxander]

/remove-lifecycle stale /milestone v1.23

[Priyankasaggu11929]

Hi @adisky! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• [ ] KEP file using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable
• [ ] KEP has a test plan section filled out.
• [ ] KEP has up to date graduation criteria.
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need the following:

• update issue description with the latest Enhancements target
• update the KEP file for the current milestone & get the PR https://github.com/kubernetes/enhancements/pull/1608 merged

---

Also, could we please add some more information in the Test Plan section? Currently, the section is pointing towards checking a PR, could we add some relevant links or more pointers or have the tests specified inline? Thank you.

### Test Plan

See PR (exhaustive unit tests added for alpha covering feature gate on and off for new and modified functions)

Thank you!

[adisky]

Hi @adisky! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• [ ] KEP file using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable
• [ ] KEP has a test plan section filled out.
• [ ] KEP has up to date graduation criteria.
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need the following:

• update issue description with the latest Enhancements target
• update the KEP file for the current milestone & get the PR ensure secret pulled images #1608 merged

Also, could we please add some more information in the Test Plan section? Currently, the section is pointing towards checking a PR, could we add some relevant links or more pointers or have the tests specified inline? Thank you.

### Test Plan

See PR (exhaustive unit tests added for alpha covering feature gate on and off for new and modified functions)

Thank you!

cc @mikebrow

[mikebrow]

@adisky @Priyankasaggu11929 I updated the KEP adding a description for the test plan and links.. and updated the KEP's alpha target from 1.22 to 1.23.

[Priyankasaggu11929]

Thank you so much for adding the changes, @mikebrow.

Just to confirm once:

• As you mentioned above, this enhancement is targeting at stage: alpha, so is it right to change the stage: stable to stage: alpha on this issue?
• I see the changes in the "Test Plan" section are updated.
• But the commit changes for updating the KEP's alpha target & the latest-milestone didn't come through.

Could you please confirm this part. Thanks once again. :)

[mikebrow]

* As you mentioned above, this enhancement is targeting at `stage: alpha`, so is it right to change the `stage: stable` to `stage: alpha` on this issue?

Yes, it is right to change the stage to alpha.

* But the [commit changes for updating the KEP's alpha target & the latest-milestone](https://github.com/kubernetes/enhancements/pull/1608/files#diff-b0309577eac7d6f66d23c210698d6f71cfa45c5af46b20d27e2d5c867fcf6de1R20-R25) didn't come through.

Forgot to hit the save button on those changes :-) Fixed now. Cheers, Mike

[Priyankasaggu11929]

Thanks for the changes @mikebrow :)

[Priyankasaggu11929]

Hello @mikebrow, just checking in as we approach 1.23 enhancements freeze tonight (09/09/2021, 23:59 PDT). Looks like the PR https://github.com/kubernetes/enhancements/pull/1608 has got both lgtm, & approve label. But there's an hold on the merge.

Is it intended or can be removed to go ahead.? As with the PR merged, this enhancements will be ready for the 1.23 enhancements freeze tonight.

Thank you!

[Priyankasaggu11929]

Just an update, the don-not-merge/hold label was removed manually since all the requirements were met.

The KEP is now tracked for the kubernetes 1.23 release. Thank you so much @mikebrow.

[jlbutler]

Hi @mikebrow :wave: 1.23 Docs lead here.

This enhancement is marked as 'Needs Docs' for the 1.23 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.23 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu November 18, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[Priyankasaggu11929]

Hello @mikebrow 👋

Checking in once more as we approach 1.23 code freeze at 6:00 pm PST on Tuesday, November 16.

Please ensure the following items are completed:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.
• Have a documentation placeholder PR open by Thursday, November 18.

As always, we are here to help should questions come up.

Thank you so much! 🙂

[salaxander]

Hi, 1.23 Enhancements Lead here 👋. With code freeze now in effect, this enhancement has not met the criteria for the freeze and has been removed from the milestone.

As a reminder, the criteria for code freeze is:

• All PRs to the kubernetes/kubernetes repo have merged by the code freeze deadline

Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks! /milestone clear

[mikebrow]

just waiting on review/merge....

[mikebrow]

@adisky I guess we have to move this to 1.24 target...

[adisky]

@mikebrow updated

[gracenng]

Hi @mikebrow ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. This enhancements is targeting beta for 1.24, is that correct?. Here’s where this enhancement currently stands:

• [ ] Updated KEP file using the latest template has been merged into the k/enhancements repo -- this will be kep with latest-milestone: 1.24
• [ ] KEP status is marked as implementable for this release with latest-milestone: 1.24
• [x] KEP has a test plan section filled out.
• [x] KEP has up to date graduation criteria.
• [x] KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. Please update this issue description to reflect enhancements target Thanks!

[gracenng]

Hi @mikebrow , 1.24 Enhancements Team here.

Reaching out as we're less than a week away from Enhancement Freeze on Thursday, February 3rd. There's no update for this enhancement since last checkin, let me know if I missed anything. Current status is at risk

[mikebrow]

Hi @mikebrow ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. This enhancements is targeting beta for 1.24, is that correct?. Here’s where this enhancement currently stands:

• [ ] Updated KEP file using the latest template has been merged into the k/enhancements repo -- this will be kep with latest-milestone: 1.24
• [ ] KEP status is marked as implementable for this release with latest-milestone: 1.24
• [x] KEP has a test plan section filled out.
• [x] KEP has up to date graduation criteria.
• [x] KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. Please update this issue description to reflect enhancements target Thanks!

Should be alpha for 1.24.. changed from alpha for 1.23 because it didn't get merged into 1.23. merged commit change for that here: https://github.com/kubernetes/enhancements/pull/3127/files

[mikebrow]

status should be ready to merge, code may need a 2nd / 3rd reviews, but changes responses were minimal / proposed for beta.. if anything is holding the alpha up I'll be here to fix it :)

[gracenng]

All good to go for 1.24 Enhancement Freeze :)

[PI-Victor]

Hi @mikebrow :wave: 1.24 Docs shadow here.

This enhancement is marked as Needs Docs for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 31st March 2022, 18:00 PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[gracenng]

Hi @mikebrow 1.24 Enhancements Team here, With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, we are currently tracking the following k/k PR:

• [ ] https://github.com/kubernetes/kubernetes/pull/94899

The status of this enhancement is at risk until the PR is merged. Please let me know if I'm missing any. Thanks!

[valaparthvi]

Hi @mikebrow :wave: 1.24 Release Comms team here.

We have an opt-in process for the feature blog delivery. If you would like to publish a feature blog for this issue in this cycle, then please opt in on this tracking sheet.

The deadline for submissions and the feature blog freeze is scheduled for 01:00 UTC Wednesday 23rd March 2022 / 18:00 PDT Tuesday 22nd March 2022. Other important dates for delivery and review are listed here: https://github.com/kubernetes/sig-release/tree/master/releases/release-1.24#timeline.

For reference, here is the blog for 1.23.

Please feel free to reach out any time to me or on the #release-comms channel with questions or comments.

Thanks!

[ehashman]

/milestone clear

We don't think this will make 1.24, per the Mar. 22 SIG Node meeting.