A Kubernetes Mutating Webhook to automatically re-point pod images to mirrors

Overview

Go Report Card License

kubernetes-mimic

Kubernetes Mimic is a Mutating Webhook that will watch for pod creation and update events in a Kubernetes cluster and automatically adjust their container images to pull from an image mirror as opposed to upstream servers.

It aims to make using an internal image mirror simple and hassle-free. It can even automatically auto-discover configured repository mirrors from Harbor.

This project is still in it's early stages, and as such, documentation is less than ideal.

Integrations

Currently Mimic can only integrate with Harbor for autodiscovery of Proxy Cache projects. When this integration is enabled, Mimic will watch for pods being created with an Image that is pulled from a source that is also available as a public Proxy Cache in Harbor and will update the Image source as necessary to pull the image from the Harbor cache instead.

There are plans to also support Artifactory. Any other desired integrations should be requested by opening an issue

Image building

Mimic can be built into a docker image using all of the normal techniques. Assuming you are wanting a Linux AMD64 Docker image, you can build it with the following command from within the base of the repository.

docker build -t mimic:latest .

Deployment

Currently the deployment is manual, and there are example manifests in the manifests folder. As the project matures, the deployment of Mimic will be handled via Helm ( #14 ).

The process is as follows:

  1. Create a Kubernetes Namespace to deploy Mimic into

kubectl apply -f ./deploy/manifests/namespace

  1. Generate SSL certificates used for communication between the kubernetes API layer and the webhook. Please note that this script presently has no provisions for setting the context or kubeconfig location:

./deploy/scripts/webhook-create-signed-cert.sh --service mimic --secret mimic-certs --namespace mimic

  1. Add the CA Bundle for the generated certificate to the mutating webhook configuration. Please note that this script presently has no provisions for setting the context or kubeconfig location:

./deploy/scripts/webhook-patch-ca-bundle.sh ./deploy/manifests/templates/mutatingwebhookconfiguration.yaml ./deploy/manifests/mutatingwebhookconfiguration-cabundle.yaml

  1. Deploy the rest of the required resources

kubectl apply -f ./deploy/manifests

Configuration

Mimic accepts it's configuration via environment variables.

Variable Default Description
MIMIC_LISTENPORT 8443 What port should the Mimic API server listen on
MIMIC_LISTENHOST "0.0.0.0" What host should the Mimic API server listen on
MIMIC_LOGLEVEL "info" What level should mimic log at. Valid options are trace, debug, info, warn, error, fatal and panic
MIMIC_LOGFORMAT "text" What format should the logs be rendered in. Valid options are text, json
MIMIC_CERTIFICATE_SOURCE kubernetes Where to load TLS certificates from. Currently the only valid option is "kubernetes" which will load the TLS certificates from a kubernetes secret
MIMIC_WATCHMIRRORS true Should sources be watched for updates and new mirrors automatically. Sources that support watching can also be toggled individually
MIMIC_KUBERNETES_ENABLED true Should the Kubernetes integration be enabled
MIMIC_KUBERNETES_NAMESPACE "" What Namespace should Mimic look for it's resources in. If this is not specified, Mimic will attempt to autodiscover what namespace it is in automatically
MIMIC_KUBERNETES_CERTSECRET "mimic-certs" The name of the Kubernetes Secret that holds the TLS certificates for the webhook server
MIMIC_KUBERNETES_CONFIGMAP "mimic-mirrors" The name of the Kubernetes ConfigMap that holds the mirror configuration. Please see the example configmap
MIMIC_KUBERNETES_WATCH true Should Mimic watch the ConfigMap to automatically pull in changes as opposed to requiring an application restart to load new changes
MIMIC_HARBOR_ENABLED false Should Mimic attempt to auto-discover docker mirrors configured within a Harbor installation
MIMIC_HARBOR_API_HOST "" Hostname that Mimic should use for communications with the Harbor API
MIMIC_HARBOR_REGISTRYURL "" Hostname that Harbor serves it's repository mirrors from. If this is left blank, Mimic will attempt to autodiscover this from the Harbor API
MIMIC_HARBOR_ROBOT_USERNAME "" Robot account username from Harbor. Needed to autodiscover the Registry URL from the Harbor API
MIMIC_HARBOR_ROBOT_PASSWORD "" Robot account password from Harbor. Needed to autodiscover the Registry URL from the Harbor API

Testing

If you have docker installed, you can deploy Mimic into a KiND cluster pretty easily with

go run mage.go deploy

and you can then clean everything up with:

go run mage.go clean

if you install mage then you can execute the targets directly with:

mage deploy and mage clean

Feel free to check out the other targets with:

mage -l

You might also like...
An example of Kubernetes' Horizontal Pod Autoscaler using costume metrics.
An example of Kubernetes' Horizontal Pod Autoscaler using costume metrics.

Kubernetes Autoscaling Example In this project, I try to implement Horizontal Pod AutoscalerHPA provided by Kubernetes. The Horizontal Pod Autoscaler

A docker container that can be deployed as a sidecar on any kubernetes pod to monitor PSI metrics

CgroupV2 PSI Sidecar CgroupV2 PSI Sidecar can be deployed on any kubernetes pod with access to cgroupv2 PSI metrics. About This is a docker container

Kubernetes Pod Security Standards implementation

Pod Security Admission The Pod Security Standards are a set of best-practice profiles for running pods securely. This repository contains the codified

Kubernetes create pod cli with golang

kubernatestest- Anand #Added more coments Anand2 and K8s #GO COMMANDS to RUN : go run xxx.go to install : go install xyz.go - this created binary file

gpupod is a tool to list and watch GPU pod in the kubernetes cluster.

gpupod gpupod is simple tool to list and watch GPU pod in kubernetes cluster. usage Usage: gpupod [flags] Flags: -t, --createdTime with pod c

A kubernetes operator sample generated by kubebuilder , which run cmd in pod on specified time

init kubebuilder init --domain github.com --repo github.com/tonyshanc/sample-operator-v2 kubebuilder create api --group sample --version v1 --kind At

A very simple, silly little kubectl plugin / utility that guesses which language an application running in a kubernetes pod was written in.

A very simple, silly little kubectl plugin / utility that guesses which language an application running in a kubernetes pod was written in.

k8s-image-swapper Mirror images into your own registry and swap image references automatically.
k8s-image-swapper Mirror images into your own registry and swap image references automatically.

k8s-image-swapper Mirror images into your own registry and swap image references automatically. k8s-image-swapper is a mutating webhook for Kubernetes

Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

Comments
  • Move from minikube to something like KinD

    Move from minikube to something like KinD

    using Minikube means that in order to test you must have both Docker and Minikube set up. Switching to something like KinD or k3d or such will allow testing with only a single dependency (docker)

    opened by cryptk 0
  • Add ability to ignore certain pods

    Add ability to ignore certain pods

    A few criteria to ignore a pod

    • pod is deploying to a configurable list of ignored names paces (maybe kube-system?)
    • pod is deploying to a namespace with an ignore annotation
    • pod has an ignore annotation
    opened by cryptk 0
  • Use the client-go tool/watch/Until method to watch for events

    Use the client-go tool/watch/Until method to watch for events

    Currently if the event watcher hits a timeout or other error, it will not re-establish the watch. We should use https://pkg.go.dev/k8s.io/[email protected]/tools/watch#Until instead so that we can recover from these situations.

    good first issue 
    opened by cryptk 0
  • Look into using OPA cert-controller to manage creation/rotation of SSL certificates

    Look into using OPA cert-controller to manage creation/rotation of SSL certificates

    This should ideally be implemented as another certificate source named "builtin" and it should become the default deployment option. The "kubernetes" certificate source should remain though for users who would like to deploy their certificates from something like cert-manager as opposed to having them auto-managed by mimic itself.

    opened by cryptk 0
Owner
null
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Opstree Container Kit 111 Oct 15, 2022
Go framework to create Kubernetes mutating and validating webhooks

kubewebhook Kubewebhook is a small Go framework to create external admission webhooks for Kubernetes. With Kubewebhook you can make validating and mut

Xabier Larrakoetxea Gallego 497 Nov 22, 2022
Kubernetes webhook development (validating admission webhook) tutorial using kubewebhook

pod-exec-guard-kubewebhook-tutorial Introduction This is a tutorial that shows how to develop a Kubernetes admission webhook. To explain this, the tut

Xabier Larrakoetxea Gallego 8 Aug 26, 2022
An image server which automatically optimize non webp and avif images to webp and avif images

go-imageserver go-imageserver is an image server which automatically optimize no

DeltaLaboratory 4 Apr 18, 2022
Example Pod webhook

Pod Webhook Example Local Development # Create a local cluster. kind create cluster # Setup cluster dependencies (cert-manager). ./hack/setup.sh # D

Nick Stogner 0 Nov 30, 2021
webhook is a lightweight incoming webhook server to run shell commands

What is webhook? webhook is a lightweight configurable tool written in Go, that allows you to easily create HTTP endpoints (hooks) on your server, whi

Adnan Hajdarević 8.4k Nov 25, 2022
Webhook-server - Webhook Server for KubeDB resources

webhook-server Webhook Server for KubeDB resources Installation To install KubeD

Kubernetes Database 1 Feb 22, 2022
A kubernetes plugin which enables dynamically add or remove GPU resources for a running Pod

GPU Mounter GPU Mounter is a kubernetes plugin which enables add or remove GPU resources for running Pods. This Introduction(In Chinese) is recommende

XinYuan 80 Nov 23, 2022
Translate Prometheus Alerts into Kubernetes pod readiness

prometheus-alert-readiness Translates firing Prometheus alerts into a Kubernetes readiness path. Why? By running this container in a singleton deploym

Coralogix 20 Oct 31, 2022
⎈ Multi pod and container log tailing for Kubernetes

stern Stern allows you to tail multiple pods on Kubernetes and multiple containers within the pod. Each result is color coded for quicker debugging. T

wercker 6.3k Nov 7, 2022