You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -507,7 +507,7 @@ Notes from reviewing the current KEP and discussion with @stlaz:
507
507
1. I think it'll just be tied to the KSA and not so much to the expiry of the token because we're doing the same thing with image pull secrets (considered valid until deleted and recreated). Deletion and recreation of KSA will result in change in UID and that'll result in KSA not found in cache for the image (assuming the key used to store in cache is consistent with the cache key used in the credential provider cache that takes UID into consideration). Need to share the cache key generation logic to be consistent.
508
508
3. Need an update to `ImagePullCredentials` struct to also store coordinates of the KSA.
509
509
510
-
Until the two implementations are updated to work together, the alpha implementation of this KEP will use the KSA token based flow unless the pod is using image pull policy set to `Always`. This keeps the feature from misbehaving until we fix the implementations.
510
+
Until the two implementations are updated to work together, the alpha implementation of this KEP will use the KSA token based flow only the pod is using image pull policy set to `Always`. This keeps the feature from misbehaving until we fix the implementations.
511
511
512
512
### Test Plan
513
513
@@ -674,7 +674,7 @@ in back-to-back releases.
674
674
675
675
#### Beta
676
676
677
-
- The implementation works well with the Ensure secret pull images KEP and supports pod image pull policy set to `Always`
677
+
- The implementation works well with the Ensure secret pull images KEP and supports pod image pull policy set to any value.
678
678
- Add metrics
679
679
680
680
#### GA
@@ -804,6 +804,8 @@ NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
804
804
Yes. The feature flag needs to be disabled and the credential provider configuration for the provider that is using service account tokens for image pull
805
805
needs to be updated to not use the `TokenAttributes` field or the provider needs to be removed.
806
806
807
+
Kubelet needs to be restarted to invalidate the in-memory cache after removing the provider or updating the configuration.
808
+
807
809
Steps to disable the feature:
808
810
809
811
1. Update the kubelet credential provider configuration to remove providers that are using service account tokens for image pull.
0 commit comments