Tugger
What does Tugger do?
Tugger is Kubernetes Admission webhook to enforce pulling of Docker images from the private registry.
Prerequisites
Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1
API enabled. Verify that by the following command:
kubectl api-versions | grep admissionregistration.k8s.io/v1beta1
The result should be:
admissionregistration.k8s.io/v1beta1
In addition, the MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.
Build and Push Tugger Docker Image
# Build docker image
docker build -t jainishshah17/tugger:latest .# Push it to Docker Registry
docker push jainishshah17/tugger:latest
Create Kubernetes Docker registry secret
# Create a Docker registry secret called 'regsecret'
kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL}
Note: Create Docker registry secret in each non-whitelisted namespaces.
Generate TLS Certs for Tugger
./tls/gen-cert.sh
Get CA Bundle
./webhook/webhook-patch-ca-bundle.sh
Deploy Tugger to Kubernetes
- Deploy using kubectl
# Run deployment
kubectl create -f deployment/tugger-deployment.yaml# Create service
kubectl create -f deployment/tugger-svc.yaml
- Deploy using Helm Chart
helm install --name tugger --set docker.registrySecret=regsecret,docker.registryUrl=jainishshah17,whitelistNamespaces="kube-system,default" chart/tugger/
Configure MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
Note: Replace ${CA_BUNDLE}
with value generated by running ./webhook/webhook-patch-ca-bundle.sh
# Configure MutatingAdmissionWebhook
kubectl create -f webhook/tugger-mutating-webhook-configuration.yaml
Note: Use MutatingAdmissionWebhook only if you want to enforce pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image is nginx
then Tugger will append REGISTRY_URL
to it. e.g nginx
will become jainishshah17/nginx
# Configure ValidatingWebhookConfiguration
kubectl create -f webhook/tugger-validating-webhook-configuration.yaml
Note: Use MutatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image does not contain REGISTRY_URL
then Tugger will deny request to run that pod.
Test Tugger
# Deploy nginx
kubectl apply -f test/nginx.yaml# Tugger Output
2019/01/27 20:57:24 AdmissionReview Namespace is: nginx
2019/01/27 20:57:24 Container Image is nginx
2019/01/27 20:57:24 Image is not being pulled from Private Registry: nginx
2019/01/27 20:57:24 Changing image registry to: jainishshah17/nginx