Skip to content

feat: add ImagePullIdentityProfile for identity binding-based image pull #7596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
qweeah wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: add ImagePullIdentityProfile for identity binding-based image pull #7596

qweeah wants to merge 1 commit into from

Conversation

@qweeah
Copy link
Contributor

@qweeah qweeah commented Dec 24, 2025

What type of PR is this?
/kind feature

This PR adds support for identity binding-based image pull authentication from Azure Container Registry (ACR), implementing KEP-4412 projected service account tokens for kubelet image credential providers.

To support identity binding-based image pull feature changes in AgentBaker, we plan to implement it in three parts:

  • Part 1 (this PR): Adds data model and test baseline
  • Part 2: RP integration and configuration flow
  • Part 3: CSE implementation and credential provider configuration

What this PR does / why we need it:

Data Model Changes

  • Added ImagePullIdentityProfile struct to SecurityProfile containing:
    • Enabled: Boolean flag to enable/disable the feature
    • DefaultClientID: Cluster-wide default managed identity client ID
    • DefaultTenantID: Cluster-wide default managed identity tenant ID
    • LocalAuthoritySNI: SNI endpoint for Identity Bindings Local Authority

Helper Functions

  • Added GetImagePullIdentity() method to retrieve image pull identity configuration
  • Added IsImagePullIdentityBindingEnabled() method to check if feature is enabled
  • Added helper functions in variables.go:
    • getImagePullIdentityDefaultClientID()
    • getImagePullIdentityDefaultTenantID()
    • getImagePullIdentityLocalAuthoritySNI()

Variable Mappings

  • Added template variables for CSE script consumption:
    • imagePullIdentityBindingEnabled
    • imagePullIdentityDefaultClientID
    • imagePullIdentityDefaultTenantID
    • identityBindingsLocalAuthoritySNI

Which issue(s) this PR fixes:

Fixes #

Requirements:

  • uses conventional commit messages
  • includes documentation
  • adds unit tests
  • tested upgrade from previous version
  • commits are GPG signed and Github marks them as verified

Special notes for your reviewer:

Release note:

none

@qweeah
feat: support ib-based image pull
eeda6d4 
Signed-off-by: Billy Zha <jinzha1@microsoft.com>
@qweeah qweeah changed the title feat: Add ImagePullIdentityProfile to SecurityProfile for identity binding-based image pull feat: add ImagePullIdentityProfile for identity binding-based image pull Dec 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juan-lee juan-lee Awaiting requested review from juan-lee juan-lee will be requested when the pull request is marked ready for review juan-lee is a code owner

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner will be requested when the pull request is marked ready for review cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok will be requested when the pull request is marked ready for review ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong will be requested when the pull request is marked ready for review Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 will be requested when the pull request is marked ready for review lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu will be requested when the pull request is marked ready for review AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 will be requested when the pull request is marked ready for review junjiezhang1997 is a code owner

@djsly djsly Awaiting requested review from djsly djsly will be requested when the pull request is marked ready for review djsly is a code owner

@phealy phealy Awaiting requested review from phealy phealy will be requested when the pull request is marked ready for review phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 will be requested when the pull request is marked ready for review r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright will be requested when the pull request is marked ready for review timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey will be requested when the pull request is marked ready for review zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix will be requested when the pull request is marked ready for review awesomenix is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qweeah