Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-4107

Regression: peer-pods fails to pull images from RH registry

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • None
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      .Peer pod VM images cannot be pulled from private registries

      Because of changes to the image pull mechanism in 1.10, authentication does not work when pulling peer pod VM images from private registries such as `registry.access.redhat.com`. The workaround is to copy the cluster pull secret to the peer pod namespace. Then, you must either link the pull secret to the default service account or add the pull secret explicitly to the peer pod manifest.
      Show
      .Peer pod VM images cannot be pulled from private registries Because of changes to the image pull mechanism in 1.10, authentication does not work when pulling peer pod VM images from private registries such as `registry.access.redhat.com`. The workaround is to copy the cluster pull secret to the peer pod namespace. Then, you must either link the pull secret to the default service account or add the pull secret explicitly to the peer pod manifest.
    • Known Issue
    • Done
    • Bugs and Vulnerability Issues
    • 0

      Description

      Running a peer-pod that uses an image from registry.redhat.io fails to pull the image.
      This is a regression introduced in OSC 1.10.x, where the image pull mechanism was changed (upstream PR #2232) and the previous auth-json-secret mechanism was dropped.

      Currently, pulling private images (e.g., from registry.redhat.io) requires manual configuration. For a native container-like experience, this should be automated.

      Steps to reproduce

      1. install OSC 1.10.1 with PP enabled
      2. run the following pod

      apiVersion: v1
      kind: Pod
      metadata:
       name: sleep
      spec:
       runtimeClassName: kata-remote
       containers:
         - name: sleeping
           image: registry.redhat.io/ubi9/ubi:latest
           command: ["sleep"]
           args: ["infinity"]

       

      Expected result

      pod will run

      Actual result

       

      2025/08/21 07:07:02 [adaptor/proxy] CreateContainer fails: rpc error: code = Internal desc = failed to pull image registry.redhat.io/ubi9/ubi:latest
      
      Stack backtrace:
         0: anyhow::kind::Adhoc::new
         1: anyhow::__private::format_err.12564
         2: <kata_agent::storage::image_pull_handler::ImagePullHandler as kata_agent::storage::StorageHandler>::create_device::{{closure}}
         3: kata_agent::storage::add_storages::{{closure}}
         4: kata_agent::rpc::AgentService::do_create_container::{{closure}}::{{closure}}.12686
         5: <kata_agent::rpc::AgentService as protocols::agent_ttrpc_async::AgentService>::create_container::{{closure}}
         6: <protocols::agent_ttrpc_async::CreateContainerMethod as ttrpc::asynchronous::utils::MethodHandler>::handler::{{closure}}
         7: ttrpc::asynchronous::server::HandlerContext::handle_msg::{{closure}}
         8: <ttrpc::asynchronous::server::ServerReader as ttrpc::asynchronous::connection::ReaderDelegate>::handle_msg::{{closure}}::{{closure}}
         9: tokio::runtime::task::raw::poll
        10: tokio::runtime::scheduler::multi_thread::worker::Context::run_task
        11: tokio::runtime::task::raw::poll
        12: std::sys::backtrace::__rust_begin_short_backtrace
        13: core::ops::function::FnOnce::call_once{{vtable.shim}}
        14: std::sys::pal::unix::thread::thread::new::thread_start
        15: start_thread
        16: __clone3

       

      Impact

      Any kata-remote pod with that uses non-public image will fail to start with the default configuration

      Workaround

      To run peer-pod workloads that use private images (e.g., from registry.redhat.io), configure a ServiceAccount or imagePullSecret with the proper credentials.

      To replicate the native OpenShift pod experience, copy the cluster-wide pull secret into the namespace where your peer-pods workload is deployed:

      NS=<peer-pod namespace>
      oc get secret pull-secret -n openshift-config -o yaml | sed "s/namespace: openshift-config/namespace: ${NS}/" | kubectl apply -n "${NS}" -f -
      

      Then you can either link this secret to the default service account:

      oc secrets link default pull-secret --for=pull -n ${NS}
      

      or, add to the peer-pod yaml:

      imagePullSecrets: 
       - name: pull-secret
      

              ssheribe@redhat.com Snir sheriber
              rh-ee-chbutler Chris Butler
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: