serving: RevisionFailed when ServiceAccount references a non-existing imagePullSecret

Having a default ServiceAccount in a namespace referencing an imagePullSecrets that doesn’t exist anymore in the namespace, creating a ksvc gets its Revision failed:

Revision "helloworld-go-00001" failed with message: Unable to fetch image "gcr.io/knative-samples/helloworld-go": failed to resolve image to digest: failed to initialize authentication: secrets "non-existing-pull-secret" not found.

Deploying the same image as an ordinary pod works fine with the same ServiceAccount.

What version of Knative?

0.20.0

Expected Behavior

Creating a Ksvc should work even if some of the image pull secrets don’t exist, if they are not actually needed to pull the image.

Actual Behavior

A Revision fails.

Steps to Reproduce the Problem

Modify the default SA in a namespace to include a non-existing imagePullSecret:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
secrets:
- name: default-token-6trqg
imagePullSecrets:
- name: non-existing-pull-secret

Create a Ksvc:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    spec:
      containers:
      - image: gcr.io/knative-samples/helloworld-go

Notice the ksvc revision fails:

Revision "helloworld-go-00001" failed with message: Unable to fetch image "gcr.io/knative-samples/helloworld-go": failed to resolve image to digest: failed to initialize authentication: secrets "non-existing-pull-secret" not found.

Such behaviour seems inconsistent with how k8s works, as the same image with the same ServiceAccount works fine as an ordinary Pod:

apiVersion: v1
kind: Pod
metadata:
  name: hello
spec:
  containers:
  - image: gcr.io/knative-samples/helloworld-go
    name: hello