Shah Jainish
2 min readJan 27, 2019

What does Tugger do?

Tugger is Kubernetes Admission webhook to enforce pulling of Docker images from the private registry.


Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

The result should be:


In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Tugger Source Repository

Build and Push Tugger Docker Image

# Build docker image
docker build -t jainishshah17/tugger:latest .
# Push it to Docker Registry
docker push jainishshah17/tugger:latest

Create Kubernetes Docker registry secret

# Create a Docker registry secret called 'regsecret'
kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL}

Note: Create Docker registry secret in each non-whitelisted namespaces.

Generate TLS Certs for Tugger


Get CA Bundle


Deploy Tugger to Kubernetes

  • Deploy using kubectl
# Run deployment
kubectl create -f deployment/tugger-deployment.yaml
# Create service
kubectl create -f deployment/tugger-svc.yaml
  • Deploy using Helm Chart
helm install --name tugger --set docker.registrySecret=regsecret,docker.registryUrl=jainishshah17,whitelistNamespaces="kube-system,default" chart/tugger/

Configure MutatingAdmissionWebhook and ValidatingAdmissionWebhook

Note: Replace ${CA_BUNDLE} with value generated by running ./webhook/webhook-patch-ca-bundle.sh

# Configure MutatingAdmissionWebhook
kubectl create -f webhook/tugger-mutating-webhook-configuration.yaml

Note: Use MutatingAdmissionWebhook only if you want to enforce pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image is nginx then Tugger will append REGISTRY_URL to it. e.g nginx will become jainishshah17/nginx

# Configure ValidatingWebhookConfiguration
kubectl create -f webhook/tugger-validating-webhook-configuration.yaml

Note: Use MutatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image does not contain REGISTRY_URL then Tugger will deny request to run that pod.

Test Tugger

# Deploy nginx 
kubectl apply -f test/nginx.yaml
# Tugger Output
2019/01/27 20:57:24 AdmissionReview Namespace is: nginx
2019/01/27 20:57:24 Container Image is nginx
2019/01/27 20:57:24 Image is not being pulled from Private Registry: nginx
2019/01/27 20:57:24 Changing image registry to: jainishshah17/nginx



Shah Jainish

I’m a Software Developer. I am passionate about SAAS Solutions and Container Orchestration tools like DC/OS, Kubernetes, RedHat OpenShift, Docker Swarm.