Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Detect and log Docker Hub rate limit errors in image pulls #21590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
henry3260 wants to merge 2 commits into kubernetes:master
base: master
Choose a base branch
Loading
from henry3260:feature/docker-rate-limit-logging

Conversation

Copy link

@henry3260 henry3260 commented Sep 17, 2025
edited
Loading

This PR improves error visibility when pulling images fails due to Docker Hub rate limits.

Changes

  • Updated PullImages in cache_images.go to detect 429 Too Many Requests errors and return them to the caller.
  • Added a warning log with a helpful link: https://www.docker.com/increase-rate-limit
  • Ensures users are clearly informed when image pulls fail due to Docker Hub rate limiting.

Impact

  • Users will now see a clear log message if image pulls fail because of Docker Hub rate limits, instead of only a generic failure message.
  • Callers of PullImages can now handle the 429 error explicitly.

Testing

  • Added a unit test in cache_image_test.go that simulates a 429 Too Many Requests error in pullImages.
  • Verified the following log output appears:

Docker Hub rate limit reached for profile minikube. See: https://www.docker.com/increase-rate-limit

Before:

image

After:

image

Fixes: #21442

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 17, 2025
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: henry3260
Once this PR has been reviewed and has the lgtm label, please assign prezha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 17, 2025
Copy link
Contributor

Hi @henry3260. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Sep 17, 2025
Copy link
Collaborator

Can one of the admins verify this patch?

failed = append(failed, m)
// Rate limit check
if strings.Contains(err.Error(), "429 Too Many Requests") {
klog.Warningf("Docker Hub rate limit reached for profile %s. See: https://www.docker.com/increase-rate-limit", pName)
Copy link
Member

@medyagh medyagh Sep 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should use
out.Styled(style.Notice, Kicbase images have not been deleted. To delete images run:)

I supsect there are other places we could that

do you putting a Before/Aeter this PR,

you can simulate the rate limit by making a Dummy docker binary that always returns with rate limit...
howevever we also have pulling images using go library , you mock those libraries for full coverage of everywhere we pull image

https://github.com/google/go-containerregistry

henry3260 reacted with heart emoji
Copy link
Member

@medyagh medyagh Sep 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also in our addons we need to check if addons which docker images if they are rate limitted or not.

so we should add code to where we enable the addons (and verify that the image is not rate limitted) and if it is we should tell the users nicely

Copy link
Author

@henry3260 henry3260 Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thanks for the clarification!
For this PR, I can switch the logging in cache_images.go from klog to out.Styled(style.Notice, ...) where appropriate.
Do you suggest I update all klog calls in that file, or just the ones related to rate limit messages?

Also, I’ll look into adding tests by mocking docker/go-containerregistry to simulate the rate limit scenario.

Copy link
Author

@henry3260 henry3260 Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it!
So for addons, I’ll add a check when enabling them to verify the image is not rate-limited, and if it is, we’ll surface a friendly notice to the user.

Copy link
Author

@henry3260 henry3260 Sep 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should use out.Styled(style.Notice, Kicbase images have not been deleted. To delete images run:)

I supsect there are other places we could that

do you putting a Before/Aeter this PR,

you can simulate the rate limit by making a Dummy docker binary that always returns with rate limit... howevever we also have pulling images using go library , you mock those libraries for full coverage of everywhere we pull image

https://github.com/google/go-containerregistry

Thanks for the suggestion! I'm not sure how to properly mock go-containerregistry's remote.Image in our current test setup. Could you give me a pointer or a small example of how you'd recommend doing that?

So far, I tried:

  • Using a dummy Docker binary (which worked for simulating errors).
  • Replacing the function with a variable to trigger the error path, but it didn't enter the if block as expected.

At this point, I'm not sure how to apply go-containerregistry to simulate the rate-limit case in tests. Any guidance or example would be really helpful.

If you'd prefer, I can open a follow-up issue for this discussion.

if err != nil {
failed = append(failed, m)
// Rate limit check
if strings.Contains(err.Error(), "429 Too Many Requests") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using strings.Contains() means we are not using a public API. This is too fragile to depend on. Do we have an error code field or error name we can check instead?

henry3260 reacted with heart emoji
Copy link
Author

@henry3260 henry3260 Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using strings.Contains() means we are not using a public API.
This is too fragile to depend on.
Do we have an error code field or error name we can check instead?

Thanks for the feedback! 🙏
I agree that relying on strings.Contains() is fragile.

In my opinion, we could consider using go-containerregistry, since its API exposes structured errors. For example:

if terr, ok := err.(*transport.Error); ok {
 if terr.StatusCode == http.StatusTooManyRequests {
 // This confirms it's a 429 rate limit error
 }
}

This way we can explicitly check the HTTP status code instead of depending on error strings.
Do you think this approach would be acceptable for minikube?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, this is way to handle errors.

henry3260 reacted with thumbs up emoji
@henry3260 henry3260 force-pushed the feature/docker-rate-limit-logging branch from 6b32174 to 5973660 Compare September 23, 2025 18:49
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 23, 2025
@henry3260 henry3260 force-pushed the feature/docker-rate-limit-logging branch from fb7f9be to f3a7a94 Compare October 8, 2025 06:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ComradeProgrammer ComradeProgrammer Awaiting requested review from ComradeProgrammer

@prezha prezha Awaiting requested review from prezha

@nirs nirs Awaiting requested review from nirs

@medyagh medyagh Awaiting requested review from medyagh

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

integration tests: detect and Log Docker Hub Rate limit Failures

AltStyle によって変換されたページ (->オリジナル) /