In Konvoy 1.X, we force Kubelet to always pull an image when creating a Pod. This is to ensure that if the Pod's image uses the latest tag, such as nginx:latest, that we are not using a cached image on the host, but the actual latest image available.
As you can imagine, the latest image tag is not a great idea in general and exposes your cluster to potential misconfiguration or security exploits since you are not able to properly track what version of the image you are using. Many people choose to ban the usage of latest in their environment and we encourage you to do so wherever possible. If you are already avoiding the latest tag, or you are in an airgap environment or bandwidth limited scenario where you would like to enable image cache for your Kubernetes cluster, it is quite easy to enable this behavior:
1. Remove the admissionPlugin for AlwaysPullImages from cluster.yaml:
The default config:
admissionPlugins:
enabled:
- AlwaysPullImages
- NodeRestriction
New config:
admissionPlugins:
enabled:
- NodeRestriction
2. Run ./konvoy up to apply the change.
3. Manually remove the AlwaysPullImages plugin from the kube-apiserver.
We must now manually remove the AlwaysPullImages plugin from each kube-vip instance on each control plane. Starting from the first control plane, navigate to /etc/kubernetes/manifests and edit kube-apiserver.yaml.
Find the line listing the enabled admission plugins:
- --enable-admission-plugins=AlwaysPullImages,NodeRestriction
Remove AlwaysPullImages, and then save and close the file.
- --enable-admission-plugins=NodeRestriction
As soon as you edit the file, Kubelet on the control plane will reload with the new config. We should now do a health check to ensure that the pod is healthy. From the control plane that you edited kube-apiserver.yaml, perform a curl check:
curl -k https://localhost:6443/readyz
It should respond "ok":
ok
Now proceed to each additional control plane and make the same change. You should now be able to utilize the image cache on each node when pulling images. If you would like to revert the change, you can re-add - AlwaysPullImages to cluster.yaml, re-run konvoy up and then check each kube-apiserver.yaml on each control plane to verify that image caching is disabled again.