Issue with k8s.io/docs/tasks/configure-pod-container/configure-pod-configmap/

[botanyhelp]

Love the k8s docs, thanks! I am not yet an expert but I share an error I found when using the docs.

VERY SHORT VERSION..THIS COMMAND DOES NOT WORK, gives errors: ErrImgPull and ImagePullBackOff:
kubectl create -f https://kubernetes.io/examples/pods/pod-single-configmap-env-variable.yaml

LONG VERSION:
I am running on minikube on GCP CloudShell and performing tasks found here:

https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/

Things are good when I create this configmap:

kubectl create configmap special-config --from-literal=special.how=very

..but things go WRONG when I run the next command in the task to create the pod using that configmap:

kubectl create -f https://kubernetes.io/examples/pods/pod-single-configmap-env-variable.yaml

I see these two snippets, from k get pod and k events:

pod/dapi-test-pod   0/1     ImagePullBackOff   0          5s

Error: ErrImagePull
10s                     Warning   Failed                    Pod/dapi-test-pod                       Failed to pull image "registry.k8s.io/busybox": [DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release. Suggest the author of registry.k8s.io/busybox:latest to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/

Farther below, I copy-paste from my GCP-cloudshell terminal which shows my kubectl and minikube versions and the output from those commands:

If I edit and change the pod-single-configmap-env-variable.yaml file to use a different image, with this line:

image: nginx:1.26.2-alpine

..then it works, so I think the problem in file pod-single-configmap-env-variable.yaml is the "image:" line causes ErrImagePull and ImagePullBackOff, this line:

image: registry.k8s.io/busybox

OUTPUT copy-pasted from my GCP CloudShell terminal while running minikube:

# date
Thu Jan 30 01:50:27 PM UTC 2025

# k version
Client Version: v1.31.4
Kustomize Version: v5.4.2
Server Version: v1.31.0

# minikube version
minikube version: v1.34.0
commit: 210b148df93a80eb872ecbeb7e35281b3c582c61

# k get pod,cm
NAME                         DATA   AGE
configmap/kube-root-ca.crt   1      29m

# kubectl create configmap special-config --from-literal=special.how=very
configmap/special-config created

# kubectl create -f https://kubernetes.io/examples/pods/pod-single-configmap-env-variable.yaml
pod/dapi-test-pod created

# k get pod,cm
NAME                READY   STATUS             RESTARTS   AGE
pod/dapi-test-pod   0/1     ImagePullBackOff   0          5s

NAME                         DATA   AGE
configmap/kube-root-ca.crt   1      30m
configmap/special-config     1      13s

# k events
LAST SEEN               TYPE      REASON                    OBJECT                                  MESSAGE

47s                     Normal    Scheduled                 Pod/dapi-test-pod                       Successfully assigned default/dapi-test-pod to minikube
19s (x3 over 46s)       Warning   Failed                    Pod/dapi-test-pod                       Error: ImagePullBackOff
19s (x3 over 46s)       Normal    BackOff                   Pod/dapi-test-pod                       Back-off pulling image "registry.k8s.io/busybox"
5s (x3 over 46s)        Warning   Failed                    Pod/dapi-test-pod                       Error: ErrImagePull
5s (x3 over 46s)        Normal    Pulling                   Pod/dapi-test-pod                       Pulling image "registry.k8s.io/busybox"
5s (x3 over 46s)        Warning   Failed                    Pod/dapi-test-pod                       Failed to pull image "registry.k8s.io/busybox": [DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release. Suggest the author of registry.k8s.io/busybox:latest to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[utkarsh-singh1]

@botanyhelp , thanks for the reporting the issue that seems to throw error of non-existence with the latest version of the busybox image.

[utkarsh-singh1]

You can check out the similar use case of busybox deployed as pod caused issue in #49406 and its resolve in PR #49474. You can create custom pod using image registry.k8s.io/busybox:1.27.2 and any other secured version of busybox in your pod deployment.

[utkarsh-singh1]

However, I think we should update the image tag for temporary or paste any warning sign that busybox with latest tag is having some issues so use more secured and stable image for your deployment.

/language en
/sig docs

[iheartNathan]

#49474 should help fix this.

[botanyhelp]

It's been good to see prompt and helpful responses!
I reported the ErrImgPull problem because it seems like an easy fix.
I am not an expert and so not sure if I should report problems like these on the ISSUES github page.
I am not sure if I should bother reporting problems in the k8s docs.
I find them all the time.
For example, today I can see that on this page:

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

..we are instructed to run these commands, which I do and which does work:

kubectl apply -f https://k8s.io/examples/pods/security/security-context-5.yaml
kubectl exec -it security-context-demo -- sh
id

..but the output I get from running id in the container is not what the task docs tell me to expect. We are told to see output like this:

uid=1000 gid=3000 groups=3000,4000,50000

..but I see this output which, without the 50000, kind of defeats the learning purpose of the exercise:

uid=1000(user-defined-in-image) gid=3000 groups=3000,4000

I copy-paste, below, the exact output that I see, in the terminal, when running on GKE Cloudshell with minikube.
Like I say, I can make reports like this on the Issues page as suggested at the bottom of each k8s docs page, but I'm not sure if I should be making lots of such noise. Thanks for the great DOCS, I am learning a ton. Keep up the great work!

MY OUTPUT:

security# kubectl apply -f https://k8s.io/examples/pods/security/security-context-5.yaml
pod/security-context-demo created

security# kubectl exec -it security-context-demo -- sh
/ $ id
uid=1000(user-defined-in-image) gid=3000 groups=3000,4000
/ $ exit

security# k version
Client Version: v1.31.4
Kustomize Version: v5.4.2
Server Version: v1.31.0

security# minikube version
minikube version: v1.34.0
commit: 210b148df93a80eb872ecbeb7e35281b3c582c61
security#

[iheartNathan]

Hello @botanyhelp, please we recommend creating an issue when you spot one in the Kubernetes docs and also you are welcome to help work on these issues.

There is no issue with what's outlined in https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#implicit-group-memberships-defined-in-etc-group-in-the-container-image, it looks like the output is dependent on the CRI running on your cluster, below is a screenshot from Killercoda which uses containerd as the CRI.

controlplane $ kubectl apply -f https://k8s.io/examples/pods/security/security-context-5.yaml
pod/security-context-demo created
controlplane $ k get po
NAME                    READY   STATUS              RESTARTS   AGE
security-context-demo   0/1     ContainerCreating   0          8s
controlplane $ k get po
NAME                    READY   STATUS    RESTARTS   AGE
security-context-demo   1/1     Running   0          22s
controlplane $ k exec security-context-demo -it -- sh
/ $ id
uid=1000(user-defined-in-image) gid=3000 groups=3000,4000,50000(group-defined-in-image)

controlplane $ sudo systemctl status kubelet | grep 'container-runtime-endpoint'
             └─1604 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.k8s.io/pause:3.10 --container-runtime-endpoint unix:///run/containerd/containerd.sock --cgroup-driver=systemd --eviction-hard imagefs.available<5%,memory.available<100Mi,nodefs.available<5% --fail-swap-on=false

[botanyhelp]

Thanks for the prompt and excellent update. I will try killercoda which is one of the two things the docs tell me to setup a head of time. minikube is almost always enough. The real cluster with 3 nodes on GKE is very nice and not so expensive if I remember to turn it off. I will NOT make another Issue about the problem you just solved/explained, that runs good on killercoda. I might try to learn how to, as you say, "help work on these issuse", probably in the CONTRIBUTING somewhere. For now, thanks again!