pullmanager

package
v1.33.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2025 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

pullmanager package keeps the implementation of the image pull manager and image credential verification policies

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewFSPullRecordsAccessor 

func NewFSPullRecordsAccessor(kubeletDir string) (*fsPullRecordsAccessor, error)

NewFSPullRecordsAccessor returns an accessor for the ImagePullIntent/ImagePulledRecord records with a filesystem as the backing database.

func ValidateAllowlistImagesPatterns 

func ValidateAllowlistImagesPatterns(patterns []string) error

Types

type ImagePullManager 

type ImagePullManager interface {
	// RecordPullIntent records an intent to pull an image and should be called
	// before a pull of the image occurs.
	//
	// RecordPullIntent() should be called before every image pull. Each call of
	// RecordPullIntent() must match exactly one call of RecordImagePulled()/RecordImagePullFailed().
	//
	// `image` is the content of the pod's container `image` field.
	RecordPullIntent(image string) error
	// RecordImagePulled writes a record of an image being successfully pulled
	// with ImagePullCredentials.
	//
	// `credentials` must not be nil and must contain either exactly one Kubernetes
	// Secret coordinates in the `.KubernetesSecrets` slice or set `.NodePodsAccessible`
	// to `true`.
	//
	// `image` is the content of the pod's container `image` field.
	RecordImagePulled(image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials)
	// RecordImagePullFailed should be called if an image failed to pull.
	//
	// Internally, it lowers its reference counter for the given image. If the
	// counter reaches zero, the pull intent record for the image is removed.
	//
	// `image` is the content of the pod's container `image` field.
	RecordImagePullFailed(image string)
	// MustAttemptImagePull evaluates the policy for the image specified in
	// `image` and if the policy demands verification, it checks the internal
	// cache to see if there's a record of pulling the image with the presented
	// set of credentials or if the image can be accessed by any of the node's pods.
	//
	// Returns true if the policy demands verification and no record of the pull
	// was found in the cache.
	//
	// `image` is the content of the pod's container `image` field.
	MustAttemptImagePull(image, imageRef string, credentials []kubeletconfiginternal.ImagePullSecret) bool
	// PruneUnknownRecords deletes all of the cache ImagePulledRecords for each of the images
	// whose imageRef does not appear in the `imageList` iff such an record was last updated
	// _before_ the `until` timestamp.
	//
	// This method is only expected to be called by the kubelet's image garbage collector.
	// `until` is a timestamp created _before_ the `imageList` was requested from the CRI.
	PruneUnknownRecords(imageList []string, until time.Time)
}

ImagePullManager keeps the state of images that were pulled and which are currently still being pulled. It should keep an internal state of images currently being pulled by the kubelet in order to determine whether to destroy a "pulling" record should an image pull fail.

type ImagePullPolicyEnforcer 

type ImagePullPolicyEnforcer interface {
	RequireCredentialVerificationForImage(image string, imagePulledByKubelet bool) bool
}

ImagePullPolicyEnforcer defines a class of functions implementing a credential verification policies for image pulls. These function determines whether the implemented policy requires credential verification based on image name, local image presence and existence of records about previous image pulls.

`image` is an image name from a Pod's container "image" field. `imagePresent` informs whether the `image` is present on the node. `imagePulledByKubelet` marks that ImagePulledRecord or ImagePullingIntent records for the `image` exist on the node, meaning it was pulled by the kubelet somewhere in the past.

func NewImagePullCredentialVerificationPolicy 

func NewImagePullCredentialVerificationPolicy(policy kubeletconfiginternal.ImagePullCredentialsVerificationPolicy, imageAllowList []string) (ImagePullPolicyEnforcer, error)

type ImagePullPolicyEnforcerFunc 

type ImagePullPolicyEnforcerFunc func(image string, imagePulledByKubelet bool) bool

ImagePullPolicyEnforcerFunc is a function type that implements the ImagePullPolicyEnforcer interface

func AlwaysVerifyImagePullPolicy 

func AlwaysVerifyImagePullPolicy() ImagePullPolicyEnforcerFunc

func NeverVerifyImagePullPolicy 

func NeverVerifyImagePullPolicy() ImagePullPolicyEnforcerFunc

func NeverVerifyPreloadedPullPolicy 

func NeverVerifyPreloadedPullPolicy() ImagePullPolicyEnforcerFunc

func (ImagePullPolicyEnforcerFunc) RequireCredentialVerificationForImage 

func (e ImagePullPolicyEnforcerFunc) RequireCredentialVerificationForImage(image string, imagePulledByKubelet bool) bool

type NeverVerifyAllowlistedImages 

type NeverVerifyAllowlistedImages struct {
	// contains filtered or unexported fields
}

func NewNeverVerifyAllowListedPullPolicy 

func NewNeverVerifyAllowListedPullPolicy(allowList []string) (*NeverVerifyAllowlistedImages, error)

func (*NeverVerifyAllowlistedImages) RequireCredentialVerificationForImage 

func (p *NeverVerifyAllowlistedImages) RequireCredentialVerificationForImage(image string, imagePulledByKubelet bool) bool

type NoopImagePullManager 

type NoopImagePullManager struct{}

func (*NoopImagePullManager) MustAttemptImagePull 

func (m *NoopImagePullManager) MustAttemptImagePull(_, _ string, _ []kubeletconfiginternal.ImagePullSecret) bool

func (*NoopImagePullManager) PruneUnknownRecords 

func (m *NoopImagePullManager) PruneUnknownRecords(_ []string, _ time.Time)

func (*NoopImagePullManager) RecordImagePullFailed 

func (m *NoopImagePullManager) RecordImagePullFailed(image string)

func (*NoopImagePullManager) RecordImagePulled 

func (m *NoopImagePullManager) RecordImagePulled(_, _ string, _ *kubeletconfiginternal.ImagePullCredentials)

func (*NoopImagePullManager) RecordPullIntent 

func (m *NoopImagePullManager) RecordPullIntent(_ string) error

type PullManager 

type PullManager struct {
	// contains filtered or unexported fields
}

PullManager is an implementation of the ImagePullManager. It tracks images pulled by the kubelet by creating records about ongoing and successful pulls. It tracks the credentials used with each successful pull in order to be able to distinguish tenants requesting access to an image that exists on the kubelet's node.

func NewImagePullManager 

func NewImagePullManager(ctx context.Context, recordsAccessor PullRecordsAccessor, imagePullPolicy ImagePullPolicyEnforcer, imageService kubecontainer.ImageService, lockStripesNum int32) (*PullManager, error)

func (*PullManager) MustAttemptImagePull 

func (f *PullManager) MustAttemptImagePull(image, imageRef string, podSecrets []kubeletconfiginternal.ImagePullSecret) bool

func (*PullManager) PruneUnknownRecords 

func (f *PullManager) PruneUnknownRecords(imageList []string, until time.Time)

func (*PullManager) RecordImagePullFailed 

func (f *PullManager) RecordImagePullFailed(image string)

func (*PullManager) RecordImagePulled 

func (f *PullManager) RecordImagePulled(image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials)

func (*PullManager) RecordPullIntent 

func (f *PullManager) RecordPullIntent(image string) error

type PullRecordsAccessor 

type PullRecordsAccessor interface {
	// ListImagePullIntents lists all the ImagePullIntents in the database.
	// ImagePullIntents that cannot be decoded will not appear in the list.
	// Returns nil and an error if there was a problem reading from the database.
	//
	// This method may return partial success in case there were errors listing
	// the results. A list of records that were successfully read and an aggregated
	// error is returned in that case.
	ListImagePullIntents() ([]*kubeletconfiginternal.ImagePullIntent, error)
	// ImagePullIntentExists returns whether a valid ImagePullIntent is present
	// for the given image.
	ImagePullIntentExists(image string) (bool, error)
	// WriteImagePullIntent writes a an intent record for the image into the database
	WriteImagePullIntent(image string) error
	// DeleteImagePullIntent removes an `image` intent record from the database
	DeleteImagePullIntent(image string) error

	// ListImagePulledRecords lists the database ImagePulledRecords.
	// Records that cannot be decoded will be ignored.
	// Returns an error if there was a problem reading from the database.
	//
	// This method may return partial success in case there were errors listing
	// the results. A list of records that were successfully read and an aggregated
	// error is returned in that case.
	ListImagePulledRecords() ([]*kubeletconfiginternal.ImagePulledRecord, error)
	// GetImagePulledRecord fetches an ImagePulledRecord for the given `imageRef`.
	// If a file for the `imageRef` is present but the contents cannot be decoded,
	// it returns a exists=true with err equal to the decoding error.
	GetImagePulledRecord(imageRef string) (record *kubeletconfiginternal.ImagePulledRecord, exists bool, err error)
	// WriteImagePulledRecord writes an ImagePulledRecord into the database.
	WriteImagePulledRecord(record *kubeletconfiginternal.ImagePulledRecord) error
	// DeleteImagePulledRecord removes an ImagePulledRecord for `imageRef` from the
	// database.
	DeleteImagePulledRecord(imageRef string) error
}

PullRecordsAccessor allows unified access to ImagePullIntents/ImagePulledRecords irregardless of the backing database implementation

type StripedLockSet 

type StripedLockSet struct {
	// contains filtered or unexported fields
}

StripedLockSet allows context locking based on string keys, where each key is mapped to a an index in a size-limited slice of locks.

func NewStripedLockSet 

func NewStripedLockSet(size int32) *StripedLockSet

NewStripedLockSet creates a StripedLockSet with `size` number of locks to be used for locking context based on string keys. The size will be normalized to stay in the <1, 31> interval.

func (*StripedLockSet) GlobalLock 

func (s *StripedLockSet) GlobalLock()

func (*StripedLockSet) GlobalUnlock 

func (s *StripedLockSet) GlobalUnlock()

func (*StripedLockSet) Lock 

func (s *StripedLockSet) Lock(key string)

func (*StripedLockSet) Unlock 

func (s *StripedLockSet) Unlock(key string)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.