You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/design.md
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,7 @@ This section describes user stories.
29
29
- Assume that the Kubernetes cluster in the user stories is operated in an on-premises environment.
30
30
- The team managing the Kubernetes cluster is referred to as the cluster administrators.
31
31
- The team using the Kubernetes cluster is referred to as the tenant team.
32
-
- Container images are downloaded from an external container registry over the internet.
32
+
- Container images are downloaded from a upstream registry over the internet.
33
33
- There is sufficient bandwidth from the cluster to the internet, but network throttling may occur if the network load becomes too high.
34
34
35
35
### User Story 1
@@ -48,6 +48,10 @@ The tenant team wants to pre-download images to minimize downtime during workloa
48
48
### Limitations
49
49
50
50
- These features assume that [spegel](https://github.com/spegel-org/spegel) is running within the cluster.
51
+
- Images downloaded by the operator are persisted in the node's local storage.
52
+
As a result, any pod scheduled to the node can utilize these images without requiring image pull operations or valid registry credentials.
53
+
This behavior may present security concerns in multi-tenant environments where private images are utilized, as it could potentially allow unauthorized access to container images containing confidential information.
54
+
If this specification is not acceptable, please consider deploying admission webhooks such as [AlwaysPullImages](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) to enforce proper authentication for all image access operations.
51
55
52
56
### Risk and Mitigation
53
57
@@ -107,7 +111,7 @@ subgraph Node1
107
111
spegel-pod1[Spegel Pod]
108
112
end
109
113
110
-
subgraph external
114
+
subgraph upstream
111
115
container-registry[Container Registry]
112
116
end
113
117
@@ -130,9 +134,9 @@ end
130
134
131
135
132
136
%% Node1
133
-
image-puller1-->|A1: Request to download container images from the registry mirror and external registry|containerd-node1
137
+
image-puller1-->|A1: Request to download container images from the registry mirror and upstream registry|containerd-node1
134
138
containerd-node1-->|A2: Attempt to download images from the registry mirror|spegel-pod1
135
-
containerd-node1-->|A3: Attempt to download images from the external registry|container-registry
139
+
containerd-node1-->|A3: Attempt to download images from the upstream registry|container-registry
136
140
137
141
%% Node2
138
142
image-puller2-->|B1: Request to download container images from the registry mirror|containerd-node2
0 commit comments