Feature Overview (aka. Goal Summary)

Project-Scoped Image Pull Secrets for Mirrored Registries

This feature enables OpenShift users to leverage project-level imagePullSecrets for authenticating with mirrored image registries configured via ImageContentSourcePolicy (ICSP), ImageDigestMirrorSet (IDMS), and ImageTagMirrorSet (ITMS). This will enhance security by allowing granular access control to mirrored images within multi-tenant clusters, eliminating the need to expose sensitive credentials globally.

Goals (aka. expected user outcomes)

As a result of this feature, the following observable functionality will be available:

• Primary User Type/Persona: Application Developers, Cluster Administrators, SREs in multi-tenant environments.
• Observable Functionality:
  • Application Developers can define imagePullSecrets at the project level and have them correctly applied when their pods attempt to pull images from mirrored registries (configured via ICSP, IDMS, or ITMS).
  • Cluster Administrators can enforce stricter security policies by limiting the scope of image registry credentials to specific projects or namespaces, rather than relying solely on cluster-global pull secrets for mirrored content.
  • Teams operating within multi-tenant clusters can manage their image registry credentials independently without requiring global cluster configuration changes.
• Expansion of Existing Features: This feature expands the functionality of ImageContentSourcePolicy, ImageDigestMirrorSet, ImageTagMirrorSet, and Kubernetes imagePullSecrets.

Requirements (aka. Acceptance Criteria):

The feature must deliver the following specific needs and objectives to be considered complete:

• Functional:
  • Pods referencing images that are subject to mirroring rules (ICSP, IDMS, ITMS) must successfully pull images when using a project-scoped imagePullSecret that contains valid credentials for the mirror registry.
  • The resolution mechanism for mirrored images must correctly prioritize and apply project-scoped imagePullSecrets over global pull secrets if both are present for the same registry.
  • Error messages during image pulls related to authentication with mirrored registries should clearly indicate if a project-scoped secret failed and provide actionable troubleshooting information.
  • Existing functionality of ICSP, IDMS, and ITMS with global pull secrets must remain unaffected.
• Non-functional:
  • Security: The implementation must ensure that project-scoped credentials cannot be used to access images in other projects or registries unless explicitly authorized. Data for imagePullSecrets must be handled securely (e.g., encryption at rest, secure transmission).
  • Reliability: Image pulls via project-scoped secrets and mirrors must be consistently successful and robust, with appropriate retry mechanisms.
  • Performance: The addition of project-scoped secret resolution should not introduce significant latency or performance degradation to image pull operations.
  • Maintainability: The code should be well-documented and easily maintainable.
  • Scalability: The solution must scale efficiently to accommodate a large number of projects, imagePullSecrets, and mirrored registries within a cluster.
  • Usability: The configuration process for project-scoped imagePullSecrets with mirrored registries should be intuitive and align with existing OpenShift patterns.