-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blog: Kubernetes v1.26: GA Support for Kubelet Credential Providers #37647
Conversation
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
Hi @andrewsykim , Thank you for the draft doc PR #37647, Please update to Ready for Review, the deadline it's on Tuesday 15th November 2022. Thank you! |
@katmutua do feature blogs need to be ready by today as well? |
HI @andrewsykim, Comms Shadow for the 1.26 release here. This feature blog is tracked for release, the deadline for submitting the draft is November 29 . Considering editorial review times, the sooner you can send the draft the better. |
Hello @andrewsykim , we're doing a global reminder about submitting a draft for review for all opted-in feature blogs. If it's at all possible, it is very helpful for the release team to have drafts submitted for review before the hard deadline date, to better plan the release dates and avoid missing out. Thank you! |
@fsmunoz I have a working draft in a google doc, I'll have it copied over here sometime today or tomorrow |
If you can let the blog team have sight of the Google Doc, we can give you suggestions on that. Google Docs is great for early feedback. However, the deadline for being part of the post-release article series is super imminent now. |
99fd644
to
2b87350
Compare
2b87350
to
e07b45c
Compare
the Kubelet to dynamically authenticate and pull images for any container registry service. | ||
In Kubernetes v1.26, this feature is now GA. | ||
|
||
{{< figure src="kubelet-credential-providers-plugin.png" alt="Figure 2: Kubelet Credential Provider Overview" >}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sftim is there a way to add description text for figures?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://gohugo.io/content-management/shortcodes/#figure
There are a few options.
(I intend to replace the images, just used placeholder ones for now to see the blog preview) |
d3dec40
to
ae02bec
Compare
If you want to preview locally, see https://kubernetes.io/docs/contribute/new-content/open-a-pr/#preview-locally |
/hold OK to unhold once this has a publication date assigned and the commits match up with that. |
ae02bec
to
d6c6c3e
Compare
@divya-mohan0209 I'm keeping this as not ready for publication pending your input, thanks! As far as I could see the rest is done, including tech review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andrewsykim you need to fix the article date, see inline feedback.
Other inline feedback is relevant, but less important than the date issue.
We'd love to get these images into SVG format so that people can zoom in on them if needed. If you have editable source that you can turn into PDF or SVG, we can help you convert them.
--- | ||
layout: blog | ||
title: 'Kubernetes v1.26: GA Support for Kubelet Credential Providers' | ||
date: 2022-11-28 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
date: 2022-11-28 | |
date: 2022-12-22 |
Please update the path content/en/blog/_posts/2022-11-28-kubelet-credential-providers/index.md
to match.
The new plugin mechanism can be used in any cluster, and lets you authenticate to new registries without | ||
any changes to Kubernetes itself. Any cloud provider or vendor can publish a plugin that lets you authenticate with their image registry. | ||
|
||
## How it Works |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nit)
## How it Works | |
## How it works |
"username": "“user”", | ||
"password": "“token12345”" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this right:
"username": "“user”", | |
"password": "“token12345”" | |
"username": "exampleuser", | |
"password": "token12345" |
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, good catch, thank you
* `--image-credential-provider-bin-dir`: the path to the directory where credential provider plugin binaries are located. | ||
|
||
The configuration file passed into `--image-credential-provider-config` is read by the kubelet to determine which exec plugins should be invoked for a container image used by a Pod. | ||
Note that the name of each "provider" must match the name of the binary located in the local directry specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the name of each "provider" must match the name of the binary located in the local directry specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet | |
Note that the name of each _provider_ must match the name of the binary located in the local | |
directory specified in `--image-credential-provider-bin-dir`, otherwise the kubelet |
“directry” was a typo, and I made other style fixes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some suggestions. Hope you find them useful.
|
||
**Authors:** Andrew Sy Kim (Google), Dixita Narang (Google) | ||
|
||
Kubernetes v1.26 introduced generally available (GA) support for _kubelet credential |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to link the docs here? i.e. /docs/tasks/kubelet-credential-provider/kubelet-credential-provider/
Kubernetes v1.26 introduced generally available (GA) support for _kubelet credential | |
Kubernetes v1.26 introduced generally available (GA) support for _kubelet credential |
{{< figure src="kubelet-credential-providers-in-tree.png" caption="Figure 1: Kubelet built-in credential provider support for Amazon Elastic Container Registry, Azure Container Registry, and Google Cloud Container Registry." >}} | ||
|
||
Kubernetes v1.20 introduced alpha support for kubelet credential providers plugins, | ||
which provide a mechanism for the kubelet to dynamically authenticate and pull images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spelling nit
which provide a mechanism for the kubelet to dynamically authenticate and pull images | |
which provides a mechanism for the kubelet to dynamically authenticate and pull images |
|
||
## How it Works | ||
|
||
The kubelet and the credential provider plugin binary communicate through stdio (stdin, stdout, and stderr) by sending and receiving |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if you're referring to the same thing with the terms exec plugin & credential provider plugin binary. In the docs, the exec plugin term is used currently.
The kubelet and the credential provider plugin binary communicate through stdio (stdin, stdout, and stderr) by sending and receiving | |
The kubelet and the exec plugin communicate through stdio (stdin, stdout, and stderr) by sending and receiving |
|
||
The kubelet and the credential provider plugin binary communicate through stdio (stdin, stdout, and stderr) by sending and receiving | ||
json-serialized api-versioned types. If the exec plugin is enabled and the kubelet requires authentication information for an image | ||
that matches against a plugin, the kubelet will exec the plugin binary, passing the `CredentialProviderRequest` API via stdin. Then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it is a verb, I think it should be written completely.
that matches against a plugin, the kubelet will exec the plugin binary, passing the `CredentialProviderRequest` API via stdin. Then | |
that matches against a plugin, the kubelet will execute the plugin binary, passing the `CredentialProviderRequest` API via stdin. Then |
|
||
{{< figure src="kubelet-credential-providers-how-it-works.png" caption="Figure 3: Kubelet credential provider plugin flow" >}} | ||
|
||
On receiving credentials from the Kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unecessary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Capitalization of kubelet not required.
On receiving credentials from the Kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unecessary | |
On receiving credentials from the kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unnecessary |
{{< figure src="kubelet-credential-providers-how-it-works.png" caption="Figure 3: Kubelet credential provider plugin flow" >}} | ||
|
||
On receiving credentials from the Kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unecessary | ||
execution of the plugin by the Kubelet for subsequent image pull requests to the same registry. In cases where the cache duration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
execution of the plugin by the Kubelet for subsequent image pull requests to the same registry. In cases where the cache duration | |
execution of the plugin by the kubelet for subsequent image pull requests to the same registry. In cases where the cache duration |
|
||
In addition, the plugin can specify the scope in which cached credentials are valid for. This is specified through the `cacheKeyType` field | ||
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly | ||
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the Registry value, do we mean to say that the kubelet uses cached credentials for image pulls from the same registry host? Adding the verb originate here could confuse the audience because they might assume that the image-pulling action originates at the registry host end.
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls | |
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls |
In addition, the plugin can specify the scope in which cached credentials are valid for. This is specified through the `cacheKeyType` field | ||
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly | ||
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls | ||
that originate from the same registry host, but using different paths (e.g. `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that originate from the same registry host, but using different paths (e.g. `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images | |
from the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images |
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly | ||
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls | ||
that originate from the same registry host, but using different paths (e.g. `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images | ||
from the same registry). And lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from the same registry). And lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against | |
from the same registry). | |
Lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against |
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
I think I addressed all your comments @divya-mohan0209, please take another look! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nits. But otherwise LGTM!
Thank you @andrewsykim !
In addition, the plugin can specify the scope in which cached credentials are valid for. This is specified through the `cacheKeyType` field | ||
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly | ||
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls | ||
destined for the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed using by use erroneously earlier on. Sorry about that.
destined for the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images | |
destined for the same registry host but using different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images |
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls | ||
destined for the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images | ||
from the same registry). Lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against | ||
the plugin, including images that can map to different registry hosts (e.g. gcr.io vs k8s.gcr.io). The `cacheKeyType` field is required by plugin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit.
the plugin, including images that can map to different registry hosts (e.g. gcr.io vs k8s.gcr.io). The `cacheKeyType` field is required by plugin | |
the plugin, including images that can map to different registry hosts (for example, gcr.io vs k8s.gcr.io). The `cacheKeyType` field is required by the plugin |
* `--image-credential-provider-bin-dir`: the path to the directory where credential provider plugin binaries are located. | ||
|
||
The configuration file passed into `--image-credential-provider-config` is read by the kubelet to determine which exec plugins should be invoked for a container image used by a Pod. | ||
Note that the name of each _provider_ must match the name of the binary located in the local directory specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit.
Note that the name of each _provider_ must match the name of the binary located in the local directory specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet | |
Note that the name of each _provider_ must match the name of the binary located in the local directory specified in `--image-credential-provider-bin-dir`, otherwise the kubelet |
/lgtm |
LGTM label has been added. Git tree hash: e63de64cfee63f69f886792bcb7735245b988167
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
"username": "“user”", | ||
"password": "“token12345”" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"username": "“user”", | |
"password": "“token12345”" | |
"username": "exampleuser", | |
"password": "token12345" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you can fix the images to match, that's even better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed this part and the image, thanks!
835d1be
to
72be85d
Compare
/lgtm |
LGTM label has been added. Git tree hash: aff2c2712d4cbd2b897d28640d9a5fd1fe32e00c
|
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
72be85d
to
655d4f3
Compare
Sorry, I missed the last review #37647 (review), updated to address those nits |
Also LGTM /lgtm |
LGTM label has been added. Git tree hash: 00174437c2bb545fb1a2d6beb55e4eb03cbaa6b5
|
/hold cancel |
Signed-off-by: Andrew Sy Kim andrewsy@google.com
Placeholder feature blog post for KEP-2133