Skip to content
This repository has been archived by the owner on Feb 16, 2020. It is now read-only.
/ tugger Public archive
forked from jainishshah17/tugger

Kubernetes Admission Webhook to enforce pulling of Docker images from the private registry.

License

Apache-2.0 license
4 stars 22 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jfrog/tugger

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
.circleci
.circleci
 
 
chart/tugger
chart/tugger
 
 
cmd/tugger
cmd/tugger
 
 
deployment
deployment
 
 
test
test
 
 
tls
tls
 
 
webhook
webhook
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 

Repository files navigation

Tugger

What does Tugger do?

Tugger is Kubernetes Admission webhook to enforce pulling of docker images from private registry.

Prerequisites

Kubernetes 1.9.0 or above with the admissionregistration.k8s.io/v1beta1 API enabled. Verify that by the following command:

kubectl api-versions | grep admissionregistration.k8s.io/v1beta1

The result should be:

admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

Build and Push Tugger Docker Image

# Build docker image
docker build -t jainishshah17/tugger:0.0.4 .

# Push it to Docker Registry
docker push jainishshah17/tugger:0.0.4

Create Kubernetes Docker registry secret

# Create a Docker registry secret called 'regsecret'
kubectl create secret docker-registry regsecret --docker-server=${DOCKER_REGISTRY} --docker-username=${DOCKER_USER} --docker-password=${DOCKER_PASS} --docker-email=${DOCKER_EMAIL}

Note: Create Docker registry secret in each non-whitelisted namespaces.

Generate TLS Certs for Tugger

./tls/gen-cert.sh

Get CA Bundle

./webhook/webhook-patch-ca-bundle.sh

Deploy Tugger to Kubernetes

  • Deploy using kubectl
# Run deployment
kubectl create -f deployment/tugger-deployment.yaml

# Create service
kubectl create -f  deployment/tugger-svc.yaml
  • Deploy using Helm Chart
helm install --name tugger --set docker.registrySecret=regsecret,docker.registryUrl=jainishshah17,whitelistNamespaces="kube-system,default",whitelistRegistries="jainishshah17" chart/tugger/

Configure MutatingAdmissionWebhook and ValidatingAdmissionWebhook

Note: Replace ${CA_BUNDLE} with value generated by running ./webhook/webhook-patch-ca-bundle.sh

# Configure MutatingAdmissionWebhook
kubectl create -f webhook/tugger-mutating-webhook-configuration.yaml

Note: Use MutatingAdmissionWebhook only if you want to enforce pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image is nginx then Tugger will append REGISTRY_URL to it. e.g nginx will become jainishshah17/nginx

# Configure ValidatingWebhookConfiguration
kubectl create -f webhook/tugger-validating-webhook-configuration.yaml

Note: Use MutatingAdmissionWebhook only if you want to check pulling of docker image from Private Docker Registry e.g JFrog Artifactory. If your container image does not contain REGISTRY_URL then Tugger will deny request to run that pod.

Test Tugger

# Deploy nginx 
kubectl apply -f test/nginx.yaml

About

Kubernetes Admission Webhook to enforce pulling of Docker images from the private registry.

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

4 stars

Watchers

6 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Go 58.9%
  • Shell 23.6%
  • Smarty 12.1%
  • Dockerfile 5.4%