From 1abe2c4860a11469790464adfe7b8e775c34462c Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Tue, 13 Jan 2026 13:52:43 +0100 Subject: [PATCH] Fix credential test by setting AlwaysVerify policy The test expects unauthorized pods to be blocked from accessing cached private images, but the default policy (NeverVerifyPreloadedImages) allows access to any image previously pulled by the kubelet. Configure the kubelet to use AlwaysVerify policy for this test, which enforces credential checks for all images regardless of pull history. Signed-off-by: Sascha Grunert --- test/e2e_node/image_credential_pulls.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/e2e_node/image_credential_pulls.go b/test/e2e_node/image_credential_pulls.go index c82e8a25acf..1cfa7b1304e 100644 --- a/test/e2e_node/image_credential_pulls.go +++ b/test/e2e_node/image_credential_pulls.go @@ -28,6 +28,7 @@ import ( internalapi "k8s.io/cri-api/pkg/apis" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/kubernetes/pkg/features" + kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" admissionapi "k8s.io/pod-security-admission/api" e2ecommonnode "k8s.io/kubernetes/test/e2e/common/node" @@ -44,6 +45,11 @@ var _ = SIGDescribe("Ensure Credential Pulled Images", func() { var testImage string var testSecret *v1.Secret var testNode string + + tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) { + initialConfig.ImagePullCredentialsVerificationPolicy = string(kubeletconfig.AlwaysVerify) + }) + ginkgo.BeforeEach(func(ctx context.Context) { var err error _, is, err = getCRIClient()