Merge pull request #117927 from kaisoz/add-FailedToRetrieveImagePullSecret-event

Log a warning if a ImagePullSecrets does not exist

pkg/kubelet/kubelet_pods.go

@@ -880,6 +880,7 @@ func (kl *Kubelet) makePodDataDirs(pod *v1.Pod) error {
 // secrets.
 func (kl *Kubelet) getPullSecretsForPod(pod *v1.Pod) []v1.Secret {
 	pullSecrets := []v1.Secret{}
+	failedPullSecrets := []string{}
 
 	for _, secretRef := range pod.Spec.ImagePullSecrets {
 		if len(secretRef.Name) == 0 {
@@ -890,12 +891,17 @@ func (kl *Kubelet) getPullSecretsForPod(pod *v1.Pod) []v1.Secret {
 		secret, err := kl.secretManager.GetSecret(pod.Namespace, secretRef.Name)
 		if err != nil {
 			klog.InfoS("Unable to retrieve pull secret, the image pull may not succeed.", "pod", klog.KObj(pod), "secret", klog.KObj(secret), "err", err)
+			failedPullSecrets = append(failedPullSecrets, secretRef.Name)
 			continue
 		}
 
 		pullSecrets = append(pullSecrets, *secret)
 	}
 
+	if len(failedPullSecrets) > 0 {
+		kl.recorder.Eventf(pod, v1.EventTypeWarning, "FailedToRetrieveImagePullSecret", "Unable to retrieve some image pull secrets (%s); attempting to pull the image may not succeed.", strings.Join(failedPullSecrets, ", "))
+	}
+
 	return pullSecrets
 }
 

pkg/kubelet/kubelet_pods_test.go

@@ -54,6 +54,7 @@ import (
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/pkg/kubelet/prober/results"
+	"k8s.io/kubernetes/pkg/kubelet/secret"
 	"k8s.io/kubernetes/pkg/kubelet/status"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
 	netutils "k8s.io/utils/net"
@@ -5396,3 +5397,34 @@ func testMetric(t *testing.T, metricName string, expectedMetric string) {
 		t.Error(err)
 	}
 }
+
+func TestGetNonExistentImagePullSecret(t *testing.T) {
+	secrets := make([]*v1.Secret, 0)
+	fakeRecorder := record.NewFakeRecorder(1)
+	testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
+	testKubelet.kubelet.recorder = fakeRecorder
+	testKubelet.kubelet.secretManager = secret.NewFakeManagerWithSecrets(secrets)
+	defer testKubelet.Cleanup()
+
+	expectedEvent := "Warning FailedToRetrieveImagePullSecret Unable to retrieve some image pull secrets (secretFoo); attempting to pull the image may not succeed."
+
+	testPod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace:   "nsFoo",
+			Name:        "podFoo",
+			Annotations: map[string]string{},
+		},
+		Spec: v1.PodSpec{
+			ImagePullSecrets: []v1.LocalObjectReference{
+				{Name: "secretFoo"},
+			},
+		},
+	}
+
+	pullSecrets := testKubelet.kubelet.getPullSecretsForPod(testPod)
+	assert.Equal(t, 0, len(pullSecrets))
+
+	assert.Equal(t, 1, len(fakeRecorder.Events))
+	event := <-fakeRecorder.Events
+	assert.Equal(t, event, expectedEvent)
+}

pkg/kubelet/secret/fake_manager.go

@@ -16,11 +16,16 @@ limitations under the License.
 
 package secret
 
-import v1 "k8s.io/api/core/v1"
+import (
+	"fmt"
+
+	v1 "k8s.io/api/core/v1"
+)
 
 // fakeManager implements Manager interface for testing purposes.
 // simple operations to apiserver.
 type fakeManager struct {
+	secrets []*v1.Secret
 }
 
 // NewFakeManager creates empty/fake secret manager
@@ -28,9 +33,27 @@ func NewFakeManager() Manager {
 	return &fakeManager{}
 }
 
-// GetSecret returns a nil secret for testing
+// NewFakeManagerWithSecrets creates a fake secret manager with the provided secrets
+func NewFakeManagerWithSecrets(secrets []*v1.Secret) Manager {
+	return &fakeManager{
+		secrets: secrets,
+	}
+}
+
+// GetSecret function returns the searched secret if it was provided during the manager initialization, otherwise, it returns an error.
+// If the manager was initialized without any secrets, it returns a nil secret."
 func (s *fakeManager) GetSecret(namespace, name string) (*v1.Secret, error) {
-	return nil, nil
+	if s.secrets == nil {
+		return nil, nil
+	}
+
+	for _, secret := range s.secrets {
+		if secret.Name == name {
+			return secret, nil
+		}
+	}
+
+	return nil, fmt.Errorf("secret %s not found", name)
 }
 
 // RegisterPod implements the RegisterPod method for testing purposes.