Open mjnagel opened 11 months ago
This issue came up in discussion recently.
Another reason this is important is to support kubectl debug
in an air gapped environment. If a user has included a debug image in a Zarf package, they can get it loaded into their Zarf registry. This webhook rewrite is needed to actually start the ephemeral debug container using an image from the registry.
@bburky would note it's still possible, albeit not ideal, to use kubectl debug
in airgap. The pull secrets will already be on the pod so as long as they debug with the zarf registry image name it would work. Not a great user experience though since they would have to figure out the registry address, name, and tag that is pushed to zarf vs just being able to use the upstream image name/tag.
Environment
Device and OS: macOS App version: 0.31.1 Kubernetes distro being used: k3d
Steps to reproduce
kubectl debug -it -n test test-pod --image busybox
(with some pod in cluster)Expected result
Zarf would mutate the image to be one from zarf's registry.
Actual Result
The update to the pod bypasses zarf's webhook.
Severity/Priority
Not critical, user can always specify the zarf image registry directly.
Additional Context
There are two issues at play:
pods/ephemeralcontainers
added as a resource (see https://www.github.com/kyverno/kyverno/issues/2821 as an example of this)kubectl debug
call would not get patched because the pod itself already went through the patching lifecycle - https://github.com/defenseunicorns/zarf/blob/06c8e53e6a88ced00f1d8bc769e3d3f8efe7751a/src/internal/agent/hooks/pods.go#L50