move Ensure Secret-Pulled Images feature to beta

Signed-off-by: Stanislav Láznička <[email protected]>
Signed-off-by: Anish Ramasekar <[email protected]>

Author: stlaz

pkg/features/kube_features.go

@@ -1417,6 +1417,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	KubeletEnsureSecretPulledImages: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	KubeletFineGrainedAuthz: {

pkg/kubelet/apis/config/fuzzer/fuzzer.go

@@ -64,6 +64,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.ImageMaximumGCAge = metav1.Duration{}
 			obj.ImageGCHighThresholdPercent = 85
 			obj.ImageGCLowThresholdPercent = 80
+			obj.ImagePullCredentialsVerificationPolicy = string(kubeletconfig.NeverVerifyPreloadedImages)
 			obj.KernelMemcgNotification = false
 			obj.MaxOpenFiles = 1000000
 			obj.MaxPods = 110

pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml

@@ -50,6 +50,7 @@ imageGCHighThresholdPercent: 85
 imageGCLowThresholdPercent: 80
 imageMaximumGCAge: 0s
 imageMinimumGCAge: 2m0s
+imagePullCredentialsVerificationPolicy: NeverVerifyPreloadedImages
 iptablesDropBit: 15
 iptablesMasqueradeBit: 14
 kind: KubeletConfiguration

pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml

@@ -50,6 +50,7 @@ imageGCHighThresholdPercent: 85
 imageGCLowThresholdPercent: 80
 imageMaximumGCAge: 0s
 imageMinimumGCAge: 2m0s
+imagePullCredentialsVerificationPolicy: NeverVerifyPreloadedImages
 iptablesDropBit: 15
 iptablesMasqueradeBit: 14
 kind: KubeletConfiguration

pkg/kubelet/apis/config/v1beta1/defaults_test.go

@@ -36,39 +36,40 @@ import (
 
 var (
 	successConfig = kubeletconfig.KubeletConfiguration{
-		CgroupsPerQOS:                   cgroupsPerQOS,
-		EnforceNodeAllocatable:          enforceNodeAllocatable,
-		SystemReservedCgroup:            "/system.slice",
-		KubeReservedCgroup:              "/kubelet.service",
-		PodLogsDir:                      "/logs",
-		SystemCgroups:                   "",
-		CgroupRoot:                      "",
-		EventBurst:                      10,
-		EventRecordQPS:                  5,
-		HealthzPort:                     10248,
-		ImageGCHighThresholdPercent:     85,
-		ImageGCLowThresholdPercent:      80,
-		IPTablesDropBit:                 15,
-		IPTablesMasqueradeBit:           14,
-		KubeAPIBurst:                    10,
-		KubeAPIQPS:                      5,
-		MaxOpenFiles:                    1000000,
-		MaxPods:                         110,
-		OOMScoreAdj:                     -999,
-		PodsPerCore:                     100,
-		Port:                            65535,
-		ReadOnlyPort:                    0,
-		RegistryBurst:                   10,
-		RegistryPullQPS:                 5,
-		MaxParallelImagePulls:           nil,
-		HairpinMode:                     kubeletconfig.PromiscuousBridge,
-		NodeLeaseDurationSeconds:        1,
-		CPUCFSQuotaPeriod:               metav1.Duration{Duration: 25 * time.Millisecond},
-		TopologyManagerScope:            kubeletconfig.PodTopologyManagerScope,
-		TopologyManagerPolicy:           kubeletconfig.SingleNumaNodeTopologyManagerPolicy,
-		ShutdownGracePeriod:             metav1.Duration{Duration: 30 * time.Second},
-		ShutdownGracePeriodCriticalPods: metav1.Duration{Duration: 10 * time.Second},
-		MemoryThrottlingFactor:          ptr.To(0.9),
+		CgroupsPerQOS:                          cgroupsPerQOS,
+		EnforceNodeAllocatable:                 enforceNodeAllocatable,
+		SystemReservedCgroup:                   "/system.slice",
+		KubeReservedCgroup:                     "/kubelet.service",
+		PodLogsDir:                             "/logs",
+		SystemCgroups:                          "",
+		CgroupRoot:                             "",
+		EventBurst:                             10,
+		EventRecordQPS:                         5,
+		HealthzPort:                            10248,
+		ImageGCHighThresholdPercent:            85,
+		ImageGCLowThresholdPercent:             80,
+		ImagePullCredentialsVerificationPolicy: "NeverVerifyPreloadedImages",
+		IPTablesDropBit:                        15,
+		IPTablesMasqueradeBit:                  14,
+		KubeAPIBurst:                           10,
+		KubeAPIQPS:                             5,
+		MaxOpenFiles:                           1000000,
+		MaxPods:                                110,
+		OOMScoreAdj:                            -999,
+		PodsPerCore:                            100,
+		Port:                                   65535,
+		ReadOnlyPort:                           0,
+		RegistryBurst:                          10,
+		RegistryPullQPS:                        5,
+		MaxParallelImagePulls:                  nil,
+		HairpinMode:                            kubeletconfig.PromiscuousBridge,
+		NodeLeaseDurationSeconds:               1,
+		CPUCFSQuotaPeriod:                      metav1.Duration{Duration: 25 * time.Millisecond},
+		TopologyManagerScope:                   kubeletconfig.PodTopologyManagerScope,
+		TopologyManagerPolicy:                  kubeletconfig.SingleNumaNodeTopologyManagerPolicy,
+		ShutdownGracePeriod:                    metav1.Duration{Duration: 30 * time.Second},
+		ShutdownGracePeriodCriticalPods:        metav1.Duration{Duration: 10 * time.Second},
+		MemoryThrottlingFactor:                 ptr.To(0.9),
 		FeatureGates: map[string]bool{
 			"CustomCPUCFSQuotaPeriod":    true,
 			"GracefulNodeShutdown":       true,

pkg/kubelet/apis/config/validation/validation_test.go

@@ -1284,7 +1284,7 @@ func TestParallelPodPullingTimeRecorderWithErr(t *testing.T) {
 	for i := 0; i < 2; i++ {
 		wg.Add(1)
 		go func(i int) {
-			_, _, err := puller.EnsureImageExists(ctx, nil, pods[i], container.Image, testCase.pullSecrets, nil, "", container.ImagePullPolicy)
+			_, _, err := puller.EnsureImageExists(ctx, nil, pods[i], container.Image, testCase.pullSecrets, podSandboxes[i], "", container.ImagePullPolicy)
 			assert.NoError(t, err)
 			wg.Done()
 		}(i)
@@ -1489,9 +1489,7 @@ func TestEnsureImageExistsWithServiceAccountCoordinates(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.enableEnsureSecretImages {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletEnsureSecretPulledImages, true)
-			}
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletEnsureSecretPulledImages, tc.enableEnsureSecretImages)
 
 			ctx := context.Background()
 			fakeClock := testingclock.NewFakeClock(time.Now())

pkg/kubelet/images/image_manager_test.go

@@ -3269,6 +3269,7 @@ func TestNewMainKubeletStandAlone(t *testing.T) {
 		ConfigMapAndSecretChangeDetectionStrategy: kubeletconfiginternal.WatchChangeDetectionStrategy,
 		ContainerLogMaxSize:                       "10Mi",
 		ContainerLogMaxFiles:                      5,
+		ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 		MemoryThrottlingFactor:                    ptr.To[float64](0),
 		CrashLoopBackOff: kubeletconfiginternal.CrashLoopBackOffConfig{
 			MaxContainerRestartPeriod: &metav1.Duration{Duration: 5 * time.Minute},
@@ -3395,6 +3396,8 @@ func TestSyncPodSpans(t *testing.T) {
 		ContainerLogMaxSize:                       "10Mi",
 		ContainerLogMaxFiles:                      5,
 		MemoryThrottlingFactor:                    ptr.To[float64](0),
+		MaxPods:                                   110,
+		MaxParallelImagePulls:                     ptr.To[int32](5),
 	}
 
 	exp := tracetest.NewInMemoryExporter()

pkg/kubelet/kubelet_test.go

@@ -861,6 +861,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.33"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: KubeletFineGrainedAuthz
   versionedSpecs:
   - default: false