[KEP-4639] Graduate image volumes to GA #5450
Conversation
saschagrunert
commented
Jul 15, 2025
saschagrunert
commented
- One-line PR description: Graduate the image volume feature as GA for 1.35.
- Issue link: VolumeSource: OCI Artifact and/or Image #4639
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
the
sig/node
k8s-ci-robot
added
the
size/S
|
So readonlysupport will be a separate KEP? |
Read write support will be a separate KEP, yes. |
|
I see we have a PR opened for kube-scheduler (kubernetes/kubernetes#130231) that changes the scoring based on this feature. However, I don't see it mentioned in the KEP. Is that change expected? If yes, it should be in this KEP. |
saschagrunert
force-pushed
the
image-volume-ga
branch
from
9370d1a to
dd71921
Compare
I don't think we should put that in scope of this KEP, but I don't see why other features should not rely on it once GA. |
|
@kubernetes/sig-node-proposals PTAL |
|
cc @mikebrow |
saschagrunert
force-pushed
the
image-volume-ga
branch
from
dd71921 to
2665bde
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: saschagrunert The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
lgtm overall, re-reading the whole KEP some notes:
-
Non-goals still mention "alpha":
That could be delegated to the consumer or perhaps to some hooks and is out of scope for alpha.
-
Testing section needs to be updated for containerd:
When containerd adds support for the feature, then the e2e tests will become available for that runtime as well.
-
As part of implementation, let's get rid of a separate test lane (https://testgrid.k8s.io/sig-node-cri-o#pr-crio-cgrpv2-imagevolume-e2e) for the feature and mark it as NodeConformance. The feature doesn't have any special node configurations needed. Also remove the
Featuretag. It may be too late to replace withFeatureGatesince it was GA'd. Maybe for the case of emulated version testing only.
| @@ -881,8 +884,6 @@ in back-to-back releases. | |||
| - Multiple examples of real world uses | |||
There was a problem hiding this comment.
GA criteria typically has a requirement to imlpement a Conformance test. Can we include it please. It was a recent contention point with DRA and we need to follow the best practices here
There was a problem hiding this comment.
Added the test graduation to conformance.
There was a problem hiding this comment.
I mean real conformance, not only node conformance.
Conformance tests should cover all APIs. In this case we may have a simple conformance test that will create image-backed volume and produces it's content as an output.
There was a problem hiding this comment.
Good, I assume we should still move the existing tests to node conformance and added another conformance test as requirement.
There was a problem hiding this comment.
Yes, exactly. We need "official" conformance to ensure conformant clusters implement this API. And NodeConformance to indicate that this is a general feature universally supported on all nodes
| @@ -781,6 +782,8 @@ We expect no non-infra related flakes in the last month as a GA graduation crite | |||
| - [sig-node] ImageVolume [NodeFeature:ImageVolume] should succeed with multiple pods and same image on the same node | |||
| - [sig-node] ImageVolume [NodeFeature:ImageVolume] should succeed with pod and multiple volumes | |||
| - [sig-node] ImageVolume [NodeFeature:ImageVolume] should succeed with pod and pull policy of Always | |||
| - [sig-node] ImageVolume [NodeFeature:ImageVolume] subPath should succeed when using a valid subPath | |||
| - [sig-node] ImageVolume [NodeFeature:ImageVolume] subPath should fail if subPath in volume is not existing | |||
There was a problem hiding this comment.
beside the first "should fail" test, is there any tests needed for crashloop backoff?
There was a problem hiding this comment.
I don't have any specific scenario in mind which should be tested as well beside that the image is not available within the registry (ref test). The [test/e2e_node/image_pull_test.go](https://github.com/kubernetes/kubernetes/blob/master/test/e2e_node/image_pull_test.go) also don't seem to test further scenarios fwiw.
There was a problem hiding this comment.
This is not a blocking comment.
I am not sure how important it is to test transient failures of the image pull.
Also interesting question test might be - ability to delete the Pod while it is in image pull backoff or while it is downloading the image.
saschagrunert
force-pushed
the
image-volume-ga
branch
from
2665bde to
1a4174f
Compare
k8s-ci-robot
added
size/M
|
I updated the KEP. I also see that containerd/containerd#11578 is not being backported to containerd 2.1 yet. Is this a blocker @mikebrow ? |
Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
force-pushed
the
image-volume-ga
branch
from
1a4174f to
3d96f29
Compare
2.2 should be out before/around kubecon, and this feature will be in all the release candidates leading up to release. We can ask for an exception.. and customer/user requests for back port exception would also help in this case given the minimal hit to the code. |
At a minimum we need to have a test against containerd main branch. So testing is covered. The requirement is to have a feature released in container runtime before k8s release: https://www.k8s.dev/docs/code/cri-api-dev-policies/#same-maturity-level-for-beta-and-ga So this will be tight. @mikebrow are you strongly against backporting to 2.1? |
No I'm strongly for back porting this one. |
