Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blog: Kubernetes v1.26: GA Support for Kubelet Credential Providers #37647

Merged
merged 3 commits into from
Dec 12, 2022

Conversation

andrewsykim
Copy link
Member

Signed-off-by: Andrew Sy Kim andrewsy@google.com

Placeholder feature blog post for KEP-2133

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. area/blog Issues or PRs related to the Kubernetes Blog subproject labels Nov 1, 2022
@k8s-ci-robot k8s-ci-robot added language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. labels Nov 1, 2022
@netlify
Copy link

netlify bot commented Nov 1, 2022

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 655d4f3
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/6391f94dc7c0260008d51cf0
😎 Deploy Preview https://deploy-preview-37647--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@katmutua
Copy link
Member

Hi @andrewsykim , Thank you for the draft doc PR #37647, Please update to Ready for Review, the deadline it's on Tuesday 15th November 2022. Thank you!

@andrewsykim
Copy link
Member Author

@katmutua do feature blogs need to be ready by today as well?

@davidmirror-ops
Copy link

HI @andrewsykim, Comms Shadow for the 1.26 release here. This feature blog is tracked for release, the deadline for submitting the draft is November 29 . Considering editorial review times, the sooner you can send the draft the better.
Any doubt, me and the Comms team are here to help!
cc @fsmunoz

@fsmunoz
Copy link
Contributor

fsmunoz commented Nov 24, 2022

Hello @andrewsykim , we're doing a global reminder about submitting a draft for review for all opted-in feature blogs. If it's at all possible, it is very helpful for the release team to have drafts submitted for review before the hard deadline date, to better plan the release dates and avoid missing out. Thank you!

@andrewsykim
Copy link
Member Author

@fsmunoz I have a working draft in a google doc, I'll have it copied over here sometime today or tomorrow

@sftim
Copy link
Contributor

sftim commented Nov 28, 2022

If you can let the blog team have sight of the Google Doc, we can give you suggestions on that. Google Docs is great for early feedback. However, the deadline for being part of the post-release article series is super imminent now.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 29, 2022
@andrewsykim andrewsykim changed the title [WIP] Add placeholder blog post for KEP-2133 Blog: Kubernetes v1.26: GA Support for Kubelet Registry Credential Providers Nov 29, 2022
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 29, 2022
the Kubelet to dynamically authenticate and pull images for any container registry service.
In Kubernetes v1.26, this feature is now GA.

{{< figure src="kubelet-credential-providers-plugin.png" alt="Figure 2: Kubelet Credential Provider Overview" >}}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sftim is there a way to add description text for figures?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewsykim
Copy link
Member Author

(I intend to replace the images, just used placeholder ones for now to see the blog preview)

@andrewsykim andrewsykim force-pushed the blog-kep-2133 branch 2 times, most recently from d3dec40 to ae02bec Compare November 29, 2022 17:30
@sftim
Copy link
Contributor

sftim commented Nov 29, 2022

If you want to preview locally, see https://kubernetes.io/docs/contribute/new-content/open-a-pr/#preview-locally

@sftim
Copy link
Contributor

sftim commented Nov 29, 2022

/hold

OK to unhold once this has a publication date assigned and the commits match up with that.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 29, 2022
@fsmunoz
Copy link
Contributor

fsmunoz commented Dec 7, 2022

@divya-mohan0209 I'm keeping this as not ready for publication pending your input, thanks! As far as I could see the rest is done, including tech review.

Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewsykim you need to fix the article date, see inline feedback.

Other inline feedback is relevant, but less important than the date issue.


We'd love to get these images into SVG format so that people can zoom in on them if needed. If you have editable source that you can turn into PDF or SVG, we can help you convert them.

---
layout: blog
title: 'Kubernetes v1.26: GA Support for Kubelet Credential Providers'
date: 2022-11-28
Copy link
Contributor

@sftim sftim Dec 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
date: 2022-11-28
date: 2022-12-22

Please update the path content/en/blog/_posts/2022-11-28-kubelet-credential-providers/index.md to match.

The new plugin mechanism can be used in any cluster, and lets you authenticate to new registries without
any changes to Kubernetes itself. Any cloud provider or vendor can publish a plugin that lets you authenticate with their image registry.

## How it Works
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nit)

Suggested change
## How it Works
## How it works

Comment on lines 81 to 82
"username": "“user”",
"password": "“token12345”"
Copy link
Contributor

@sftim sftim Dec 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right:

Suggested change
"username": "“user”",
"password": "token12345"
"username": "exampleuser",
"password": "token12345"

?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops, good catch, thank you

* `--image-credential-provider-bin-dir`: the path to the directory where credential provider plugin binaries are located.

The configuration file passed into `--image-credential-provider-config` is read by the kubelet to determine which exec plugins should be invoked for a container image used by a Pod.
Note that the name of each "provider" must match the name of the binary located in the local directry specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Note that the name of each "provider" must match the name of the binary located in the local directry specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet
Note that the name of each _provider_ must match the name of the binary located in the local
directory specified in `--image-credential-provider-bin-dir`, otherwise the kubelet

“directry” was a typo, and I made other style fixes

Copy link
Contributor

@divya-mohan0209 divya-mohan0209 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some suggestions. Hope you find them useful.


**Authors:** Andrew Sy Kim (Google), Dixita Narang (Google)

Kubernetes v1.26 introduced generally available (GA) support for _kubelet credential
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to link the docs here? i.e. /docs/tasks/kubelet-credential-provider/kubelet-credential-provider/

Suggested change
Kubernetes v1.26 introduced generally available (GA) support for _kubelet credential
Kubernetes v1.26 introduced generally available (GA) support for _kubelet credential

{{< figure src="kubelet-credential-providers-in-tree.png" caption="Figure 1: Kubelet built-in credential provider support for Amazon Elastic Container Registry, Azure Container Registry, and Google Cloud Container Registry." >}}

Kubernetes v1.20 introduced alpha support for kubelet credential providers plugins,
which provide a mechanism for the kubelet to dynamically authenticate and pull images
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spelling nit

Suggested change
which provide a mechanism for the kubelet to dynamically authenticate and pull images
which provides a mechanism for the kubelet to dynamically authenticate and pull images


## How it Works

The kubelet and the credential provider plugin binary communicate through stdio (stdin, stdout, and stderr) by sending and receiving
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if you're referring to the same thing with the terms exec plugin & credential provider plugin binary. In the docs, the exec plugin term is used currently.

Suggested change
The kubelet and the credential provider plugin binary communicate through stdio (stdin, stdout, and stderr) by sending and receiving
The kubelet and the exec plugin communicate through stdio (stdin, stdout, and stderr) by sending and receiving


The kubelet and the credential provider plugin binary communicate through stdio (stdin, stdout, and stderr) by sending and receiving
json-serialized api-versioned types. If the exec plugin is enabled and the kubelet requires authentication information for an image
that matches against a plugin, the kubelet will exec the plugin binary, passing the `CredentialProviderRequest` API via stdin. Then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it is a verb, I think it should be written completely.

Suggested change
that matches against a plugin, the kubelet will exec the plugin binary, passing the `CredentialProviderRequest` API via stdin. Then
that matches against a plugin, the kubelet will execute the plugin binary, passing the `CredentialProviderRequest` API via stdin. Then


{{< figure src="kubelet-credential-providers-how-it-works.png" caption="Figure 3: Kubelet credential provider plugin flow" >}}

On receiving credentials from the Kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unecessary
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Capitalization of kubelet not required.

Suggested change
On receiving credentials from the Kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unecessary
On receiving credentials from the kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unnecessary

{{< figure src="kubelet-credential-providers-how-it-works.png" caption="Figure 3: Kubelet credential provider plugin flow" >}}

On receiving credentials from the Kubelet, the plugin can also indicate how long credentials can be cached for, to prevent unecessary
execution of the plugin by the Kubelet for subsequent image pull requests to the same registry. In cases where the cache duration
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
execution of the plugin by the Kubelet for subsequent image pull requests to the same registry. In cases where the cache duration
execution of the plugin by the kubelet for subsequent image pull requests to the same registry. In cases where the cache duration


In addition, the plugin can specify the scope in which cached credentials are valid for. This is specified through the `cacheKeyType` field
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the Registry value, do we mean to say that the kubelet uses cached credentials for image pulls from the same registry host? Adding the verb originate here could confuse the audience because they might assume that the image-pulling action originates at the registry host end.

Suggested change
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls

In addition, the plugin can specify the scope in which cached credentials are valid for. This is specified through the `cacheKeyType` field
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls
that originate from the same registry host, but using different paths (e.g. `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
that originate from the same registry host, but using different paths (e.g. `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images
from the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images

in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls
that originate from the same registry host, but using different paths (e.g. `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images
from the same registry). And lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
from the same registry). And lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against
from the same registry).
Lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against

Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
@andrewsykim
Copy link
Member Author

I think I addressed all your comments @divya-mohan0209, please take another look!

Copy link
Contributor

@divya-mohan0209 divya-mohan0209 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nits. But otherwise LGTM!

Thank you @andrewsykim !

In addition, the plugin can specify the scope in which cached credentials are valid for. This is specified through the `cacheKeyType` field
in `CredentialProviderResponse`. When the value is `Image`, the kubelet will only use cached credentials for future image pulls that exactly
match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls
destined for the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed using by use erroneously earlier on. Sorry about that.

Suggested change
destined for the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images
destined for the same registry host but using different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images

match the image of the first request. When the value is `Registry`, the kubelet will use cached credentials for any subsequent image pulls
destined for the same registry host, but use different paths (for example, `gcr.io/foo/bar` and `gcr.io/bar/foo` refer to different images
from the same registry). Lastly, when the value is `Global`, the kubelet will use returned credentials for all images that match against
the plugin, including images that can map to different registry hosts (e.g. gcr.io vs k8s.gcr.io). The `cacheKeyType` field is required by plugin
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit.

Suggested change
the plugin, including images that can map to different registry hosts (e.g. gcr.io vs k8s.gcr.io). The `cacheKeyType` field is required by plugin
the plugin, including images that can map to different registry hosts (for example, gcr.io vs k8s.gcr.io). The `cacheKeyType` field is required by the plugin

* `--image-credential-provider-bin-dir`: the path to the directory where credential provider plugin binaries are located.

The configuration file passed into `--image-credential-provider-config` is read by the kubelet to determine which exec plugins should be invoked for a container image used by a Pod.
Note that the name of each _provider_ must match the name of the binary located in the local directory specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit.

Suggested change
Note that the name of each _provider_ must match the name of the binary located in the local directory specified in `--image-credential-provider-bin-dir`, otherwise the Kubelet
Note that the name of each _provider_ must match the name of the binary located in the local directory specified in `--image-credential-provider-bin-dir`, otherwise the kubelet

@sftim
Copy link
Contributor

sftim commented Dec 8, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 8, 2022
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: e63de64cfee63f69f886792bcb7735245b988167

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 8, 2022
Comment on lines 82 to 83
"username": "“user”",
"password": "“token12345”"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"username": "“user”",
"password": "token12345"
"username": "exampleuser",
"password": "token12345"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you can fix the images to match, that's even better.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed this part and the image, thanks!

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 8, 2022
@sftim
Copy link
Contributor

sftim commented Dec 8, 2022

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 8, 2022
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: aff2c2712d4cbd2b897d28640d9a5fd1fe32e00c

Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 8, 2022
@andrewsykim
Copy link
Member Author

Sorry, I missed the last review #37647 (review), updated to address those nits

@sftim
Copy link
Contributor

sftim commented Dec 8, 2022

Also LGTM

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 8, 2022
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 00174437c2bb545fb1a2d6beb55e4eb03cbaa6b5

@andrewsykim
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 12, 2022
@k8s-ci-robot k8s-ci-robot merged commit 19a22d4 into kubernetes:main Dec 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/blog Issues or PRs related to the Kubernetes Blog subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
Status: Published
Development

Successfully merging this pull request may close these issues.

8 participants