Skip to content

Commit e62c461

Browse files
atykhyyatykhyy
committed
kubelet: invoke part of image verification policy earlier
Some decisions about image pull credential verification can be applied without reference to image pull credentials: if the policy is NeverVerify, or if it is NeverVerifyPreloadedImages and the image is preloaded, or if is NeverVerifyAllowListedImages and the image is white-listed. In these cases, there is no need to look up credentials. Related PR: #133079
1 parent 0170df6 commit e62c461

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

pkg/kubelet/images/image_manager.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,8 @@ func (m *imageManager) EnsureImageExists(ctx context.Context, objRef *v1.ObjectR
178178
return "", message, err
179179
}
180180

181-
if imageRef != "" && !utilfeature.DefaultFeatureGate.Enabled(features.KubeletEnsureSecretPulledImages) {
181+
// run the part of image verification policy that does not depend on credentials before looking them up
182+
if imageRef != "" && !(utilfeature.DefaultFeatureGate.Enabled(features.KubeletEnsureSecretPulledImages) && m.imagePullManager.MustAttemptImagePull(requestedImage, imageRef, nil, nil)) {
182183
msg := fmt.Sprintf("Container image %q already present on machine", requestedImage)
183184
m.logIt(objRef, v1.EventTypeNormal, events.PulledImage, logPrefix, msg, klog.Info)
184185
return imageRef, msg, nil

0 commit comments

Comments
 (0)