Highlight if there is no pull credentials when ImagePullBackOff

[bergerx]

The image we are trying to retrieve could be from a private registry, and workload may not have credentials provided anywhere.

This case is covered in:

• https://kubernetes.io/docs/concepts/containers/images/#imagepullbackoff
• https://kubernetes.io/docs/concepts/containers/images/#use-cases, this one covers these 4 major cases:
  • Configuring Nodes to Authenticate to a Private Registry (all pods can read any configured private registries, requires node configuration by cluster administrator)
  • Pre-pulled Images (all pods can use any images cached on a node, requires root access to all nodes to setup)
  • Specifying ImagePullSecrets on a Pod (only pods which provide own keys can access the private registry)
  • Vendor-specific or local extensions (if you're using a custom node configuration, you (or your cloud provider) can implement your mechanism for authenticating the node to the container registry.)
• https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/:
• https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account

Common paths to find the credentials are:

• pod.spec.imagePullSecrets, can also be auto-populated by the pod's ServiceAccount.imagePullSecrets
  
• pod.spec.containers.imagePullSecrets

We may even go further and check if the provided credentials are valid. But do we really want operators to issue an authentication request to the container registry from the client? Maybe we can have a special flag that enables this check and provide a help message to try with that flag to test.

These checks should be skipped if the imagePullPolicy property of the container is set to Never. This case needs to be explicitly covered.