You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When pulling an image, kubelet is providing the credentials to the CRI implementation. The CRI implementation (containerd, cri-o, ...) uses the provided credentials against the upstream registry to pull the image.
We are running the proxy (pull through cache) in a Kubernetes cluster. We configure the CRI implementation (containerd for our case) to make use of the deployed proxy in the cluster. See Registry Configuration - Introduction.
The proxy does not respect/use the authentication provided to it via containerd.
Instead, the proxy support only one set of credentials per instance (per remoteurl). See Configure the cache:
Description
Kubernetes has well defined ways of providing credentials for image pulls:
When pulling an image, kubelet is providing the credentials to the CRI implementation. The CRI implementation (containerd, cri-o, ...) uses the provided credentials against the upstream registry to pull the image.
We are running the proxy (pull through cache) in a Kubernetes cluster. We configure the CRI implementation (containerd for our case) to make use of the deployed proxy in the cluster. See Registry Configuration - Introduction.
The proxy does not respect/use the authentication provided to it via containerd.
Instead, the proxy support only one set of credentials per instance (per remoteurl). See Configure the cache:
This makes it unusable for many of the cases as in Kubernetes you can provide many image pull secrets for your Pods.
It would be great if the proxy can use the provided credentials in the image pull request and use them against the upstream.
The text was updated successfully, but these errors were encountered: