Skip to content

Feature/image volume support#857

Open
efiguti wants to merge 2 commits into
keel-hq:masterfrom
efiguti:feature/image-volume-support
Open

Feature/image volume support#857
efiguti wants to merge 2 commits into
keel-hq:masterfrom
efiguti:feature/image-volume-support

Conversation

@efiguti

@efiguti efiguti commented May 20, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements #849 — adds opt-in support for tracking and updating
OCI image volume sources
(spec.volumes[].image.reference, Kubernetes 1.31+ with the
ImageVolume feature gate).

  • New annotation keel.sh/imageVolumes: "true" — mirrors the existing
    keel.sh/initContainers annotation (off by default, set per-resource).
  • Volume names are filtered with the existing
    keel.sh/monitorContainers regex, so one annotation governs all image
    references on the resource (containers + init containers + image
    volumes).
  • Supported on Deployments, StatefulSets, DaemonSets and CronJobs via
    the existing GenericResource abstraction.

Example

metadata:
  annotations:
    keel.sh/policy: minor
    keel.sh/imageVolumes: "true"
spec:
  template:
    spec:
      containers:
        - name: app
          image: karolisr/webhook-demo:0.0.8
          volumeMounts:
            - { name: oci-config, mountPath: /etc/config }
      volumes:
        - name: oci-config
          image:
            reference: karolisr/webhook-demo:0.0.8
            pullPolicy: IfNotPresent

Files changed

  • types/types.go — new KeelImageVolumeAnnotation constant
  • internal/k8s/{resource,converter}.goVolumeFilter type plus
    Volumes(), GetImageVolumeReferences(), UpdateImageVolume() on
    GenericResource, wired through all four supported kinds
  • provider/kubernetes/kubernetes.gogetImageVolumeTrackingFromMeta
    • GetMonitorVolumesFromMeta; TrackedImages() and
      updateDeployments() include image-volume references when the
      annotation is set
  • provider/kubernetes/updates.go — new loop in checkForUpdate that
    parses each image volume reference, applies the policy, and rewrites
    it in place
  • ARCHITECTURE.md + readme.md — documentation for the new
    annotation

Test plan

  • go build ./... clean
  • go vet ./... clean (no new warnings)
  • go test ./internal/k8s/... ./provider/kubernetes/... passes
  • New unit tests cover both TrackedImages discovery and the
    checkForUpdate rewrite path for image volumes (resource_test.go,
    kubernetes_test.go)
  • Manual verification on a Kubernetes 1.31+ cluster with the
    ImageVolume feature gate enabled

Closes #849

efiguti added 2 commits May 20, 2026 11:25
@efiguti
Track and update OCI image volume references (keel-hq#849)
02203f5 
Adds opt-in support for Kubernetes image volume sources
(spec.volumes[].image.reference, available since Kubernetes 1.31 with
the ImageVolume feature gate). Behaves like init container tracking:
enabled per-resource via the keel.sh/imageVolumes: "true" annotation,
off by default. Volume names are matched against the existing
keel.sh/monitorContainers regex so a single annotation governs all
image references on a resource.

Covers Deployments, StatefulSets, DaemonSets and CronJobs through the
GenericResource abstraction, with unit tests for both TrackedImages
discovery and the checkForUpdate path.
@efiguti
Document keel.sh/imageVolumes annotation
385678b 
Adds the new annotation to the ARCHITECTURE.md table and a brief
configuration example to readme.md so users can discover image volume
tracking without reading the source.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

image volumes

1 participant

@efiguti