-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Sample] rewrite image registry #882
Comments
/assign |
I would like to work on this |
We tested the above, and it didnt work with the bare registry, so we ended up with this.
This assumes your harbor proxy caches, have the same exact name as the registry you are replacing e.g. |
@JimBugwadia I have also tested this policy - apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: replace-image-registry
annotations:
policies.kyverno.io/title: Replace Image Registry
kyverno.io/kubernetes-version: "1.24"
spec:
background: false
rules:
- name: replace-image-registry-pod-containers
match:
any:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: "request.object.spec.containers"
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
preconditions:
any:
- key: "{{imageData.image}}"
operator: Equals
value: "docker.io/*"
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
image: "harbor.example.com/{{imageData.repository}}:{{imageData.identifier}}"
- name: replace-image-registry-pod-initcontainers
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"
operator: GreaterThanOrEquals
value: 1
mutate:
foreach:
- list: "request.object.spec.initContainers"
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
preconditions:
any:
- key: "{{imageData.image}}"
operator: Equals
value: "docker.io/*"
patchStrategicMerge:
spec:
initContainers:
- name: "{{ element.name }}"
image: "harbor.example.com/{{imageData.repository}}:{{imageData.identifier}}" I got this output - apiVersion: v1
kind: Pod
metadata:
name: myapp-pod1
spec:
containers:
- image: harbor.example.com/nginx:latest
name: docker-with-registry |
Wanted to note, what we used above, doesnt work well either. It appears to work fine, and then you will randomly get pods that have the registry doubled up.
I cant figure out why, when i test it locally
I have no problems, but ive noticed with my helm charts we have deployed, it will randomly happen like the above. |
See: kyverno/kyverno#9381 |
Thanks @JimBugwadia @chipzoller |
@jseiser, the reason you were probably seeing the doubled-up name prefix was due to Pod UPDATE ops. To avoid that, it's best to fire on CREATE requests only. The point may be moot if you still haven't found anything that'll work currently. |
Problem Statement
rewrite the image registry, to force all pulls throug a proxy cache e.g. with harbor
Solution Description
Example "Good" Resource
No response
Example "Bad" Resource
No response
Other Comments
No response
Slack discussion
https://kubernetes.slack.com/archives/CLGR9BJU9/p1704740196988469
Troubleshooting
The text was updated successfully, but these errors were encountered: