-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KIP cannot use ImagePullSecret when using containerd #1359
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
I created a local solution. I am pretty new to Kubernetes and EG so I don't think this solution generalizes perfectly, but maybe you can point me in the right direction to making this a sensible pull request: Steps I did:
Relevant Excerpts/Changes:/etc/kubernetes/helm/enterprise-gateway/templates/daemonset.yaml
etc/docker/kernel-image-puller/kernel_image_puller.py:
(edited to add a fallback for username:password if no "auth" str is available) |
Description
This started as a post asking for help in the community forum: https://discourse.jupyter.org/t/kip-containerd-and-imagepullsecrets/23342. It seems it might not be due to misconfiguration on my end, but a bug in EG.
Using a private repository and projects that require authentication, the KIP appears to not use the ImagePullSecret specified in the helm chart. Thus, pulling public images from the repo works, whereas private ones don't. The image puller logs show failure as:
[E 2024-01-11 09:53:42,617 kernel_image_puller.t1] Error executing crictl -r unix:///run/containerd/containerd.sock pull harbor.[...]: time="2024-01-11T09:53:42Z" level=fatal msg="pulling image: rpc error: code = Unknown desc = failed to pull and unpack image \"harbor[...]kernel-spark-python-custom:2024-01-09\": failed to resolve reference \"harbor.[...]kernel-spark-python-custom:2024-01-09\": pulling from host harbor[...] failed with status code [manifests 2024-01-09]: 401 Unauthorized"
This has a significant impact because pulling those images on kernel creation is also problematic. Unless sharing the namespace with EG, the secret resource is not available in the per-kernel namespaces that are created on launch.
Reproduce
What I configured:
This put me in a position where:
My custom kernelspec image is successfully pulled from a private project from our harbor resgistry.
The secret harbor-registey is created in the enterprise-gatewaynamespace by helm.
kernel-image-puller-sa is created in the enterprise-gateway namespace and has the imagePullSecret: harbor-registry
The logs of the kip pods show that our of 3 custom kernels in my kernelspec, all three are detected and should be pulled. The two from public projects in the registry are pulled successfully (no secret needed) but the one form the private project isn’t: (Error executing crictl -r unix:///run/containerd/containerd.sock pull [...] failed with status code [manifests 2024-01-09]: 401 Unauthorized")
It seems the secret + sa work fine to pull pods when creating kubernetes resources (like the kernelspecs image), but are not used when the KIP pods try to pull via the docker client.
Expected behavior
KIP successfully pulls all images, not only those in projects that don't require auth.
Context
EG image: current
elyra/enterprise-gateway:dev
The text was updated successfully, but these errors were encountered: