Skip to content

Latest commit

 

History

History
77 lines (53 loc) · 2.25 KB

README.md

File metadata and controls

77 lines (53 loc) · 2.25 KB

Digester webhook package

Package for the digester Kubernetes mutating admission webhook.

The digester mutating admission webhook resolves tags to digests for container and init container images in Kubernetes CronJob, Pod and Pod template specs.

Preparing for deployment

The digester webhook requires Kubernetes v1.16 or later.

If you use Google Kubernetes Engine (GKE), grant yourself the cluster-admin Kubernetes cluster role:

kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole cluster-admin \
    --user "$(gcloud config get core/account)"

To configure how the webhook authenticates to your container image registries, see the documentation on Authenticating to container image registries.

If you use a private GKE cluster, see additional steps for creating a firewall rule.

Deploying the webhook using kustomize

  1. Install kustomize.

  2. Apply this package:

    VERSION=v0.1.15
    kustomize build "https://github.com/google/k8s-digester.git/manifests?ref=$VERSION" | kubectl apply -f -
  3. Add the digest-resolution: enabled label to namespaces where you want the webhook to resolve tags to digests:

    kubectl label namespace [NAMESPACE] digest-resolution=enabled

Deploying the webhook using kpt

  1. Install kpt v1.0.0-beta.1 or later.

  2. Fetch this package:

    VERSION=v0.1.15
    kpt pkg get "https://github.com/google/k8s-digester.git/manifests@${VERSION}" manifests
  3. Setup inventory tracking for the package:

    kubectl create namespace digester-system
    kpt live init manifests
  4. Apply the package:

    kpt live apply manifests --reconcile-timeout=3m --output=table
  5. Add the digest-resolution: enabled label to namespaces where you want the webhook to resolve tags to digests:

    kubectl label namespace [NAMESPACE] digest-resolution=enabled