Tugger

Shah Jainish
2 min readJan 27, 2019

What does Tugger do?

Tugger is Kubernetes Admission webhook to enforce pulling of Docker images from the private registry.

Prerequisites

Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

The result should be:

admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Tugger Source Repository

Build and Push Tugger Docker Image

# Build docker image
docker build -t jainishshah17/tugger:latest .
# Push it to Docker Registry
docker push jainishshah17/tugger:latest

Create Kubernetes Docker registry secret

# Create a Docker registry secret called 'regsecret'
kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL}

Note: Create Docker registry secret in each non-whitelisted namespaces.

Generate TLS Certs for Tugger

./tls/gen-cert.sh

Get CA Bundle

./webhook/webhook-patch-ca-bundle.sh

Deploy Tugger to Kubernetes

  • Deploy using kubectl
# Run deployment
kubectl create -f deployment/tugger-deployment.yaml
# Create service
kubectl create -f deployment/tugger-svc.yaml
  • Deploy using Helm Chart
helm install --name tugger --set docker.registrySecret=regsecret,docker.registryUrl=jainishshah17,whitelistNamespaces="kube-system,default" chart/tugger/

Configure MutatingAdmissionWebhook and ValidatingAdmissionWebhook

Note: Replace ${CA_BUNDLE} with value generated by running ./webhook/webhook-patch-ca-bundle.sh

# Configure MutatingAdmissionWebhook
kubectl create -f webhook/tugger-mutating-webhook-configuration.yaml

Note: Use MutatingAdmissionWebhook only if you want to enforce pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image is nginx then Tugger will append REGISTRY_URL to it. e.g nginx will become jainishshah17/nginx

# Configure ValidatingWebhookConfiguration
kubectl create -f webhook/tugger-validating-webhook-configuration.yaml

Note: Use MutatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image does not contain REGISTRY_URL then Tugger will deny request to run that pod.

Test Tugger

# Deploy nginx 
kubectl apply -f test/nginx.yaml
# Tugger Output
2019/01/27 20:57:24 AdmissionReview Namespace is: nginx
2019/01/27 20:57:24 Container Image is nginx
2019/01/27 20:57:24 Image is not being pulled from Private Registry: nginx
2019/01/27 20:57:24 Changing image registry to: jainishshah17/nginx

--

--

Shah Jainish

I’m a Software Developer. I am passionate about SAAS Solutions and Container Orchestration tools like DC/OS, Kubernetes, RedHat OpenShift, Docker Swarm.