Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pre-validation process for image accessibility prior to initiating workflows #14059

Open
SotirisOikonomou opened this issue Jan 8, 2025 · 2 comments
Open

Pre-validation process for image accessibility prior to initiating workflows #14059

SotirisOikonomou opened this issue Jan 8, 2025 · 2 comments
Labels
type/feature Feature request

Comments

@SotirisOikonomou
Copy link

Summary

What change needs making?

Implementing a pre-validation process for image accessibility prior to initiating workflows would significantly reduce wait times in the event of authentication errors or unavailability of images. Additionally, it would prevent the accumulation of pods in an error state, which then require manual cleanup.

Use Cases

When would you use this?

We utilise Agro Workflows in one of our products, which allows customers to upload custom workflow templates for their applications. These can be complex, multilevel workflows with various images.With the current implementation, if there is a problem with the last image, customers have to wait a long time until they see the error and lose money.Furthermore, with a high number of customers and submitted templates, the clusters accumulate more and more pods in an error state.
Ensuring the accessibility of all images in the workflow prior to execution would result in significant savings in terms of time, money, and resources.
Could this logic be implemented directly into Argo, or is there an alternative method for implementing it independently without a running Docker daemon?
Our initial approach over the API and the manifest endpoint proved to be quite complex and prone to errors, due to the manual string processing of the image name and the significant differences in the authentication methods for various image registries.

Message from the maintainers:

Love this feature request? Give it a 👍. We prioritise the proposals with the most 👍.
@SotirisOikonomou SotirisOikonomou added the type/feature Feature request label Jan 8, 2025
@shuangkun
Copy link
Member

Whether the image is accessible is closely related to the user's network and permission configuration. I think it is difficult to implement this in Argo.

@MasonM
Copy link
Contributor

MasonM commented Jan 11, 2025

While checking image accessibility is difficult, you could implement an image allowlist using a validation admission policy that rejects workflows using an unapproved image. Currently, you can't use VAPs with Argo Workflows because the full CRDs are broken, and I have a PR to fix those: #14044

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/feature Feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MasonM @shuangkun @SotirisOikonomou