| title | authors | reviewers | creation-date | last-updated | status | ||||
|---|---|---|---|---|---|---|---|---|---|
SidecarSet ImagePullSecrets |
|
|
2021-07-13 |
2021-07-13 |
implementable |
- Provide a way to pull images using
Secretfrom private repositories forSidecarSet.
A table of contents is helpful for quickly jumping to sections of a proposal and for highlighting any additional information provided beyond the standard proposal template. Tools for generating a table of contents from markdown are available.
In k8s, Secret is an easy and safe way to store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys.
One of the most common-used features of it is to pull images from private repositories. However, SidecarSet does not support this feature so far.
Main idea: In this design, we separate the logic of Secret and SidecarSet.
In SidecarSet part, we only consider injecting their imagePullSecrets feilds into Pod.
Users should manually distribute the required Secrets to all the namespaces that the SidecarSet may be instantiated.
We add imagePullSecrets field in apis/apps/v1alpha1/sidecarset_types.go:
type SidecarSetSpec struct {
...
// List of the names of secrets required by pulling sidecar container images
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}A typical example:
# sidecarset.yaml
apiVersion: apps.kruise.io/v1alpha1
kind: SidecarSet
metadata:
name: my-sidecarset
spec:
selector:
...
updateStrategy:
...
containers:
- name: my-sidecar
image: my-repository/centos:6.7
...
imagePullSecrets:
- name: my-secretThe image will be pulled from the private repository my-repository, if the secret my-secret has stored the correct username and password of this repository.
If the correct secret my-secret doesn't exist, it will fail to pull this image.
We will merge the imagePullSecrets both in Pod and SidecarSet in pkg/webhook/pod/sidercarset.go file:
func (h *PodCreateHandler) sidecarsetMutatingPod(ctx context.Context, req admission.Request, pod *corev1.Pod) error {
...
//Inject imagePullSecrets
pod.Spec.ImagePullSecrets = mergeSidecarSecrets(pod.Spec.ImagePullSecrets, sidecarSecrets)
...
}
//Merge the secrets in both pod and sidecarset.
func mergeSidecarSecrets(secretsInPod, secretsInSidecar []corev1.LocalObjectReference) (allSecrets []corev1.LocalObjectReference) {
secretFilter := make(map[string]bool)
for _, podSecret := range secretsInPod {
if _, ok := secretFilter[podSecret.Name]; !ok {
secretFilter[podSecret.Name] = true
allSecrets = append(allSecrets, podSecret)
}
}
for _, sidecarSecret := range secretsInSidecar {
if _, ok := secretFilter[sidecarSecret.Name]; !ok {
secretFilter[sidecarSecret.Name] = true
allSecrets = append(allSecrets, sidecarSecret)
}
}
return allSecrets
}- 13/07/2021: Proposal submission