The goal of this repository is to allow a kubernetes application to be deployed with images which have been moved to a private registry, but without editing the application configuration. A webhook rewrites the image references in the application's pods according to a mapping which is configured using custom resources.
To do:
For more context, please see the image relocation repository's README.
This repository consists of a MutatingAdmissionWebhook which rewrites kubernetes pods to use relocated image
references.
The mapping from original to relocated image references is built by deploying imagemap custom resources
which are processed by a controller also provided by this repository.
Each imagemap is namespaced and applies only to pods in the same namespace.
When an imagemap is deployed, if it is inconsistent with other imagemaps in the namespace, it is rejected
and the status of the imagemap details the inconsistency (in a Ready condition with status false).
After the inconsistency has been corrected, the rejected imagemap is automatically redeployed after a
short delay (currently one minute).
If an imagemap is updated and this results in the imagemap being rejected, the original imagemap is undeployed.
The following was tested using a GKE cluster.
Install Jetstack certificate manager:
kubectl create namespace cert-manager && \
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yamlIf you want the controller and webhook to provide detailed logs, enable debug logging in the currently active patch
file, such asconfig/default/manager_auth_proxy_patch.yaml, like this:
...
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"
- "--debug"
...Build and deploy the webhook:
make docker-build docker-push IMG=<some-registry>/<project-name>:tag &&
make deploy IMG=<some-registry>/<project-name>:tagDeploy a sample imagemap custom resource, after editing it to replace <repo prefix> with a suitable repository
prefix (e.g. gcr.io/my-sandbox) to which you and the cluster have access:
# remember to edit config/samples/mapper_v1alpha1_imagemap.yaml
kubectl apply -f config/samples/mapper_v1alpha1_imagemap.yamlObserve the image map resources:
kubectl get imagemapsOutput:
NAME AGE
bootcamp-sample 1mCreate a pod, e.g.:
kubectl run kubernetes-bootcamp --image=gcr.io/google-samples/kubernetes-bootcamp:v1 --port=8080Observe the relocated image in the pod, e.g.:
kubectl get pod kubernetes-bootcamp-xxx -oyamlOutput:
...
spec:
containers:
- image: <repo prefix>/kubernetes-bootcamp:v1
...Note: the image value under containerStatuses may not be the relocated value. This is a known issue when an image has multiple references referring to it.
View the logs from the webhook, e.g.:
kubectl logs image-mapper-controller-manager-xxx -n image-mapper-systemNow tidy up:
kubectl delete deployment kubernetes-bootcamp
kubectl delete -f config/samples/mapper_v1alpha1_imagemap.yaml
make undeploy IMG=<some-registry>/<project-name>:tag
kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml