A Kubernetes Mutating Webhook to automatically re-point pod images to mirrors

Related tags

kubernetes-mimic
Overview

Go Report Card License

kubernetes-mimic

Kubernetes Mimic is a Mutating Webhook that will watch for pod creation and update events in a Kubernetes cluster and automatically adjust their container images to pull from an image mirror as opposed to upstream servers.

It aims to make using an internal image mirror simple and hassle-free. It can even automatically auto-discover configured repository mirrors from Harbor.

This project is still in it's early stages, and as such, documentation is less than ideal.

Integrations

Currently Mimic can only integrate with Harbor for autodiscovery of Proxy Cache projects. When this integration is enabled, Mimic will watch for pods being created with an Image that is pulled from a source that is also available as a public Proxy Cache in Harbor and will update the Image source as necessary to pull the image from the Harbor cache instead.

There are plans to also support Artifactory. Any other desired integrations should be requested by opening an issue

Image building

Mimic can be built into a docker image using all of the normal techniques. Assuming you are wanting a Linux AMD64 Docker image, you can build it with the following command from within the base of the repository.

docker build -t mimic:latest .

Deployment

Currently the deployment is manual, and there are example manifests in the manifests folder. As the project matures, the deployment of Mimic will be handled via Helm ( #14 ).

The process is as follows:

  1. Create a Kubernetes Namespace to deploy Mimic into

kubectl apply -f ./deploy/manifests/namespace

  1. Generate SSL certificates used for communication between the kubernetes API layer and the webhook. Please note that this script presently has no provisions for setting the context or kubeconfig location:

./deploy/scripts/webhook-create-signed-cert.sh --service mimic --secret mimic-certs --namespace mimic

  1. Add the CA Bundle for the generated certificate to the mutating webhook configuration. Please note that this script presently has no provisions for setting the context or kubeconfig location:

./deploy/scripts/webhook-patch-ca-bundle.sh ./deploy/manifests/templates/mutatingwebhookconfiguration.yaml ./deploy/manifests/mutatingwebhookconfiguration-cabundle.yaml

  1. Deploy the rest of the required resources

kubectl apply -f ./deploy/manifests

Configuration

Mimic accepts it's configuration via environment variables.

Variable Default Description
MIMIC_LISTENPORT 8443 What port should the Mimic API server listen on
MIMIC_LISTENHOST "0.0.0.0" What host should the Mimic API server listen on
MIMIC_LOGLEVEL "info" What level should mimic log at. Valid options are trace, debug, info, warn, error, fatal and panic
MIMIC_LOGFORMAT "text" What format should the logs be rendered in. Valid options are text, json
MIMIC_CERTIFICATE_SOURCE kubernetes Where to load TLS certificates from. Currently the only valid option is "kubernetes" which will load the TLS certificates from a kubernetes secret
MIMIC_WATCHMIRRORS true Should sources be watched for updates and new mirrors automatically. Sources that support watching can also be toggled individually
MIMIC_KUBERNETES_ENABLED true Should the Kubernetes integration be enabled
MIMIC_KUBERNETES_NAMESPACE "" What Namespace should Mimic look for it's resources in. If this is not specified, Mimic will attempt to autodiscover what namespace it is in automatically
MIMIC_KUBERNETES_CERTSECRET "mimic-certs" The name of the Kubernetes Secret that holds the TLS certificates for the webhook server
MIMIC_KUBERNETES_CONFIGMAP "mimic-mirrors" The name of the Kubernetes ConfigMap that holds the mirror configuration. Please see the example configmap
MIMIC_KUBERNETES_WATCH true Should Mimic watch the ConfigMap to automatically pull in changes as opposed to requiring an application restart to load new changes
MIMIC_HARBOR_ENABLED false Should Mimic attempt to auto-discover docker mirrors configured within a Harbor installation
MIMIC_HARBOR_API_HOST "" Hostname that Mimic should use for communications with the Harbor API
MIMIC_HARBOR_REGISTRYURL "" Hostname that Harbor serves it's repository mirrors from. If this is left blank, Mimic will attempt to autodiscover this from the Harbor API
MIMIC_HARBOR_ROBOT_USERNAME "" Robot account username from Harbor. Needed to autodiscover the Registry URL from the Harbor API
MIMIC_HARBOR_ROBOT_PASSWORD "" Robot account password from Harbor. Needed to autodiscover the Registry URL from the Harbor API

Testing

If you have docker installed, you can deploy Mimic into a KiND cluster pretty easily with

go run mage.go deploy

and you can then clean everything up with:

go run mage.go clean

if you install mage then you can execute the targets directly with:

mage deploy and mage clean

Feel free to check out the other targets with:

mage -l

Issues
webhook is a lightweight incoming webhook server to run shell commands

What is webhook? webhook is a lightweight configurable tool written in Go, that allows you to easily create HTTP endpoints (hooks) on your server, whi

Adnan Hajdarević 6.7k Jul 23, 2021
General Pod Autoscaler(GPA) is a extension for K8s HPA, which can be used not only for serving, also for game.

Introduction General Pod Autoscaler(GPA) is a extension for K8s HPA, which can be used not only for serving, also for game. Features Compatible with a

Open Cloud-native Game-application Initiative 10 Jun 23, 2021
GitHub中文排行榜,帮助你发现高分优秀中文项目、更高效地吸收国人的优秀经验成果;榜单每周更新一次,敬请关注!

榜单设立目的 ???? GitHub中文排行榜,帮助你发现高分优秀中文项目; 各位开发者伙伴可以更高效地吸收国人的优秀经验、成果; 中文项目只能满足阶段性的需求,想要有进一步提升,还请多花时间学习高分神级英文项目; 榜单设立范围 设立1个总榜(所有语言项目汇总排名)、18个分榜(单个语言项目排名);

kon9chunkit 36.7k Jul 25, 2021
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Opstree Container Kit 31 Jul 23, 2021
A Kubernetes Mutating Webhook to automatically re-point pod images to mirrors

kubernetes-mimic Kubernetes Mimic is a Mutating Webhook that will watch for pod creation and update events in a Kubernetes cluster and automatically a

null 5 Jun 21, 2021
A simple Kubernetes Operator template that uses Golang, use it to build your own operators

A simple programmatic Kubernetes Operator template. Use this to create your own Kubernetes operators with golang. Build with KIND (Kubernetes in Docke

Cloud Native Skunkworks 3 Apr 11, 2021
🐶 Kubernetes CLI To Manage Your Clusters In Style!

K9s - Kubernetes CLI To Manage Your Clusters In Style! K9s provides a terminal UI to interact with your Kubernetes clusters. The aim of this project i

Fernand Galiana 12.8k Jul 21, 2021
👀 A Kubernetes cluster resource sanitizer

Popeye - A Kubernetes Cluster Sanitizer Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources an

Fernand Galiana 3k Jul 25, 2021
Simplified network and services for edge applications

English | 简体中文 EdgeMesh Introduction EdgeMesh is a part of KubeEdge, and provides a simple network solution for the inter-communications between servi

KubeEdge 30 Jul 11, 2021
A toolbox for debugging docker container and kubernetes with web UI.

A toolbox for debugging Docker container and Kubernetes with visual web UI. You can start the debugging journey on any docker container host! You can

CloudNativer 7 May 18, 2021
Interactive Cloud-Native Environment Client

Fenix-CLI:Interactive Cloud-Native Environment Client English | 简体中文 Fenix-CLI is an interactive cloud-native operating environment client. The goal i

IcyFenix 18 Jul 12, 2021
A Kubernetes Network Fabric for Enterprises that is Rich in Functions and Easy in Operations

中文教程 Kube-OVN, a CNCF Sandbox Level Project, integrates the OVN-based Network Virtualization with Kubernetes. It offers an advanced Container Network

null 936 Jul 25, 2021
⎈ Multi pod and container log tailing for Kubernetes

stern Stern allows you to tail multiple pods on Kubernetes and multiple containers within the pod. Each result is color coded for quicker debugging. T

wercker 5.3k Jul 23, 2021
go-zero 从零到 k8s 部署

启动: 注意事项: dockerfile 文件配置了 LOCAL_HOST 环境变量 1、项目目录下执行 ./docker.sh 脚本生成 rpc服务docker镜像 ./docker.sh 2、docker-compose-db 创建 mysql redis etcd 容器 执行命令

liukai 33 Jul 22, 2021