Feature Overview (What is this feature?)

This feature makes a security change to how Openshift handles private container images when they are already cached (saved) on a Node.

It forces the system to re-check your password (the imagePullSecret) before letting your Pod run a private image, even if the image is already downloaded.

Problem It Solves (Why do we need this?)

The problem was a security loophole when using the standard pull policy IfNotPresent:

1. Scenario: One team (Team A) successfully downloads a private, secret image using their special password. The image is saved on Node 1.

1. The Loophole: Another team (Team B) tries to run the same secret image on Node 1, but they do not have the password.

1. Old Behavior: Because the image was already Present (saved locally) on the Node, Kubernetes would say, "Great, the image is here!" and let Team B run the image without ever checking their credentials.

1. The Security Flaw: Team B gains unauthorized access to Team A's private, secret software.

https://github.com/kubernetes/enhancements/issues/2535