Fallback to trying kic image without SHA when using image registry #20226
Conversation
Signed-off-by: ghosind <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ghosind The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
|
Hi @ghosind. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/S
|
Can one of the admins verify this patch? |
There was a problem hiding this comment.
hi @ghosind do you mind explaining the logic, how this doing it, some of the code is not clear for me.
and also I think if we have to do this, we might wanna output a warnning to user that we chose the image without SHA, since this could be a security issue
Hi @medyagh, minikube will try to download kic image with sha, and try the image without sha as fallback: minikube/pkg/drivers/kic/types.go Line 42 in 210b148 minikube/pkg/minikube/node/cache.go Line 142 in 7a8a1c9 However, it with minikube/pkg/minikube/node/cache.go Line 127 in 7a8a1c9 For example, start minikube v1.34.0 with # update from gcr.io/k8s-minikube/kicbase:v0.0.45@sha256:81df288595202a317b1a4dc2506ca2e4ed5f22373c19a441b88cfbf4b9867c85
registry.cn-hangzhou.aliyuncs.com/google_containers/kicbase:v0.0.45@sha256:81df288595202a317b1a4dc2506ca2e4ed5f22373c19a441b88cfbf4b9867c85
docker.io/kicbase/stable:v0.0.45@sha256:81df288595202a317b1a4dc2506ca2e4ed5f22373c19a441b88cfbf4b9867c85
gcr.io/k8s-minikube/kicbase:v0.0.45
docker.io/kicbase/stable:v0.0.45The image |
| cc.KicBaseImage = baseImg | ||
| } | ||
| images = append(images, baseImg) | ||
| if baseFallbackImg != "" && baseFallbackImg != baseImg { |
There was a problem hiding this comment.
if minikube does not start with --image-registry option, or specify a different kic image that without sha (with --base-image option), it will not add the image without sha into the fallback list
| return path.Join(repo, image) | ||
| baseImg := path.Join(repo, image) | ||
| // try a fallback image without sha, because #11068 | ||
| fallbackImg := strings.Split(image, "@sha256:")[0] |
There was a problem hiding this comment.
pkg/driver/kic/types.go did not export the image's sha, so I removed the sha part from the repo updated image.
|
As my last reply said, minikube is already trying to download no sha image as the fallback, is it a better idea to make another patch to add warning output? I think it is not for this patch only. |
Like #11068, minikube with
--image-repositoryoption may fail to download kic image because it only tries to download the image with SHA. This patch will add the kic image without SHA to the fallback images list to avoid its failure.