New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mutating image registry does not preserve the project name #2028
Comments
Hi @drewhemm - thanks for reporting. We'll investigate this issue. |
I think what is needed is something like this, but I am unsure how to chain the functions:
|
In addition, if you simply have something like |
@sjentzsch - we are working on the fix to add the default image registry if it's missing, it should be available soon. We'll update you once we have the test image. |
@sjentzsch it's cool we'll wait |
@uderik - the image is available with tag apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: replace-image-registry
annotations:
policies.kyverno.io/title: Replace Image Registry
policies.kyverno.io/category: Sample
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.4.2
policies.kyverno.io/description: >-
Rather than blocking Pods which come from outside registries,
it is also possible to mutate them so the pulls are directed to
approved registries. This sample policy mutates all images either
in the form 'image:tag' or 'registry.corp.com/image:tag' to be prefaced
with `myregistry.corp.com/`.
spec:
background: false
rules:
- name: replace-image-registry
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
image: |-
{{ regex_replace_all('^[^/]+', '{{@}}', 'myregistry.corp.com') }} |
@realshuting If this updated sample is ready to go, I can include it in a held PR for v1.4.2 batched with other changes. |
That will be great! Thanks @chipzoller. |
@realshuting same with prepend image registry https://kyverno.io/policies/other/prepend-image-registry/prepend-image-registry/ unable to add project path, any advice! |
@mohamedthings, please open a new issue and provide complete reproduction steps. |
Is your feature request related to a problem? Please describe.
Relates to #674
The sample policy Replace Image Registry does not work well when the image is in
project-name/image-name
format. The regex replacesproject-name
with the custom repository, so that you end up withmylocalregistry/image-name
instead ofmylocalregistry/project-name/image-name
Describe the solution you'd like
I would like a policy that preserves the project-name, where present:
input:
Image: bash:5.0
Output:
Image: mylocalregistry/bash:5.0
Second example specifying an external registry
Input:
Image: quay.io/bash:5.0
Output:
Image: mylocalregistry/bash:5.0
Input:
Image: quay.io/foo/bash:5.0
Output:
Image: mylocalregistry/foo/bash:5.0
input:
Image: foo/bash:5.0
Output:
Image: mylocalregistry/foo/bash:5.0
The text was updated successfully, but these errors were encountered: