Mutating image registry does not preserve the project name

[drewhemm]

Is your feature request related to a problem? Please describe.

Relates to #674

The sample policy Replace Image Registry does not work well when the image is in project-name/image-name format. The regex replaces project-name with the custom repository, so that you end up with mylocalregistry/image-name instead of mylocalregistry/project-name/image-name

Describe the solution you'd like

I would like a policy that preserves the project-name, where present:

input:

Image: bash:5.0

Output:

Image: mylocalregistry/bash:5.0

Second example specifying an external registry
Input:

Image: quay.io/bash:5.0

Output:

Image: mylocalregistry/bash:5.0

Input:

Image: quay.io/foo/bash:5.0

Output:

Image: mylocalregistry/foo/bash:5.0

input:

Image: foo/bash:5.0

Output:

Image: mylocalregistry/foo/bash:5.0

[realshuting]

Hi @drewhemm - thanks for reporting. We'll investigate this issue.

[drewhemm]

I think what is needed is something like this, but I am unsure how to chain the functions:

rules:
    - name: replace-image-registry-with-dots
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
            - (name): "*"
              image: |-
                                {{ split(@, '/') | [0] | contains('.') | regex_replace_all('([\w\.-]*)\/', '{{@}}', 'myregistry.corp.com/') }}
    - name: replace-image-registry-without-dots
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
            - (name): "*"
              image: |-
                                {{ split(@, '/') | [0] | contains('.') || replace('{{@}}', 'myregistry.corp.com/{{@}}' ) }}

[sjentzsch]

In addition, if you simply have something like image: busybox:1.28, it would also not prepend the custom repository, given the search string of '(.*)\/'

[realshuting]

@sjentzsch - we are working on the fix to add the default image registry if it's missing, it should be available soon. We'll update you once we have the test image.

[uderik]

@sjentzsch it's cool we'll wait

[realshuting]

@uderik - the image is available with tag v1.4.1-63-gb2515fa9, and I modified the policy slightly in order to mutate the registry, we'll update the sample policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: replace-image-registry
  annotations:
    policies.kyverno.io/title: Replace Image Registry
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.4.2
    policies.kyverno.io/description: >-
      Rather than blocking Pods which come from outside registries,
      it is also possible to mutate them so the pulls are directed to
      approved registries. This sample policy mutates all images either
      in the form 'image:tag' or 'registry.corp.com/image:tag' to be prefaced
      with `myregistry.corp.com/`.      
spec:
  background: false
  rules:
    - name: replace-image-registry
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
            - (name): "*"
              image: |-
                {{ regex_replace_all('^[^/]+', '{{@}}', 'myregistry.corp.com') }}

[chipzoller]

@realshuting If this updated sample is ready to go, I can include it in a held PR for v1.4.2 batched with other changes.

[realshuting]

@realshuting If this updated sample is ready to go, I can include it in a held PR for v1.4.2 batched with other changes.

That will be great! Thanks @chipzoller.

[mohamedthings]

@realshuting same with prepend image registry https://kyverno.io/policies/other/prepend-image-registry/prepend-image-registry/ unable to add project path, any advice!

[chipzoller]

@mohamedthings, please open a new issue and provide complete reproduction steps.