Kubernetes v1.33 Fixes a Decade-Old Image Pull Loophole

For the past ten years Kubernetes had a subtle but serious security vulnerability: when a Pod used imagePullPolicy: IfNotPresent and the required private image was already cached on the node, the Kubelet would start the container without checking whether the Pod possessed the necessary pull credentials.

This issue could be exploited in multi‑tenant clusters, for example when a Pod in namespace team‑a pulls and caches private.registry/foo/bar:latest with proper credentials, and later a Pod in team‑b attempts to run the same image without any credentials, yet the Kubelet reuses the cached image, breaking namespace isolation.

With the release of Kubernetes v1.33, the new feature gate KubeletEnsureSecretPulledImages changes this behavior: when enabled, the Kubelet always verifies that the Pod has valid credentials before using a cached private image.

The updated behavior for the three image pull policies is:

Always : unchanged – the image is always pulled and credentials are verified.

IfNotPresent : the Kubelet now checks whether the credentials used for the cached image match the current Pod’s credentials.

Never : no pull occurs, but the Kubelet still validates that the credentials match those used during the original successful pull.

Implementation details: the Kubelet maintains a local file‑based cache that records the hash of the credentials used for a successful pull and the name of the Secret that provided them. When a Pod attempts to start with a cached image, the Kubelet compares the current credentials against this record; if they match, the Pod is allowed to start, otherwise the Kubelet attempts a fresh pull to verify access.

The feature also adds support for Projected Service Account Tokens (PSAT) via KEP‑4412, enabling finer‑grained workload isolation and access control.

To enable the feature for testing, add the following flag to the Kubelet startup parameters:

# Set this flag on the kubelet
--feature-gates=KubeletEnsureSecretPulledImages=true

Future work includes adding a PSAT‑based image pull credential provider, introducing TTL for credential caches, using in‑memory caches to reduce I/O latency, and conducting performance benchmarks under high load.

Closing this decade‑old loophole significantly improves image pull security in multi‑tenant environments, and enabling the feature is strongly recommended for shared clusters.