Comments (4)
The embedded registry mirror functions only as a mirror. Your webhook would need to support mirrors, and in particular be able to pass the original registry namespace as a parameter to the registry API so that it knows what upstream registry (docker.io, ghcr.io, etc) to provide images for. Containerd and other packages that have first-class support for mirrors all do this.
As described at https://docs.k3s.io/installation/registry-mirror#authentication the embedded registry mirror also requires client certificate authentication. Your webhook would need a client certificate signed by the the cluster client CA in order to connect.
I took a quick look at the vault docs and I couldn't find any references as to what they're using to inspect the images, or whether or not it supports mirrors. I suspect it does not currently support what you're trying to do. You might open an issue against their repo asking for:
- registry mirror support
- registry client certificate authentication support
from k3s.
The embedded registry mirror functions only as a mirror. Your webhook would need to support mirrors, and in particular be able to pass the original registry namespace as a parameter to the registry API so that it knows what upstream registry (docker.io, ghcr.io, etc) to provide images for. Containerd and other packages that have first-class support for mirrors all do this.
I'm not sure, I got your point about "support mirrors"? This webhook just lookups at the 'image' in k8s object definition and tries to get metadata for it. The ratio of doing it that it substitutes entrypoint and/or command defined in the image by prefixing its own command. Let's say, the mutation de facto is command: "echo hello"
-> command: "/vault/vault-env echo hello"
.
So, to achieve this it calls /v2/* endpoint of registry to get manifest to extract command
or entrypoint
As described at https://docs.k3s.io/installation/registry-mirror#authentication the embedded registry mirror also requires client certificate authentication. Your webhook would need a client certificate signed by the the cluster client CA in order to connect.
So, did I read you correctly that embedded mirror doesn't provide any kind of api and just provides image as it is stored locally (pushed via ctr image load
for example)?
I took a quick look at the vault docs and I couldn't find any references as to what they're using to inspect the images, or whether or not it supports mirrors. I suspect it does not currently support what you're trying to do. You might open an issue against their repo asking for:
* registry mirror support
* registry client certificate authentication support
I've already put some details how it works above and actually some time ago I've opened ticket there with suggestions how to make it more flexible in terms of handling registries.
But actually, I've found the workaround here. As I said the only reason this webhook wants manifest from registry is to figure out command/entrypoint to mutate it, so my workaround is to provide this data to it by adjusting deployment templates explicitly adding command
there. And it worked :)
So, I guess this issue could be closed and thank you for looking at it!
from k3s.
I'm not sure, I got your point about "support mirrors"? This webhook just lookups at the 'image' in k8s object definition and tries to get metadata for it.
So, to achieve this it calls /v2/* endpoint of registry to get manifest to extract command or entrypoint
Yes, exactly. You would need to be able to tell it to use one or more mirror endpoints. So for example, instead of making a request to https://docker.io/v2/...
, for an image on docker.io, it should try the mirror endpoint of https://mirror.example.com/v2/...?ns=docker.io
. This is how mirror support works in containerd, docker, and other products that support container image registry mirroring.
If you have the ability to change all your pods so that it doesn't need to inspect the image, that sounds like a good workaround until mirror support is added.
from k3s.
Yes, exactly. You would need to be able to tell it to use one or more mirror endpoints. So for example, instead of making a request to
https://docker.io/v2/...
, for an image on docker.io, it should try the mirror endpoint ofhttps://mirror.example.com/v2/...?ns=docker.io
. This is how mirror support works in containerd, docker, and other products that support container image registry mirroring.
I guess, since it is air-gapped environment there's no point to add support for mirrors for this use case, because it should either have an ability to work with image files (unpack it, call some external command like docker inspect
, dunno what else) or just have an option to get this metadata in some offline way (env/settings/you name it).
from k3s.
Related Issues (20)
- [Release-1.27] - Cannot use ipv6 literal as system-default-registry HOT 1
- [Release 1.28] Update Kube-router to v2.1.0 to fix ICMPv2 Neighbour Solicitation packets drops HOT 1
- [Release 1.27] Update Kube-router to v2.1.0 to fix ICMPv2 Neighbour Solicitation packets drops HOT 1
- [Release-1.28] - Local path provisioner disallowed from reading Pods logs HOT 1
- [Release-1.27] - Local path provisioner disallowed from reading Pods logs HOT 4
- unable to initialize network policy controller: IPv6 was enabled but no IPv6 address was found on node HOT 1
- k3s on OpenWrt can't find CPU cgroup - but it is enabled. HOT 4
- LoadBalancers crashing after updating from 1.27.3 to 1.29.3 HOT 4
- local path provisioner helper script does not support `-a` flag
- Expose K3s metrics via supervisor port HOT 1
- Option service-node-port-range gets ignored HOT 2
- A potential risk in k3s that could lead to takeover of the cluster HOT 2
- x509: certificate has expired or is not yet valid HOT 2
- Add support for SLE Micro 6.0
- Reducing K3s Org Equinix usage HOT 8
- flannel-v6.1 MAC address changes every boot HOT 9
- k3s node becomes unresponsive with error InvalidDiskCapacity HOT 1
- Set cri-dockerd `streaming-bind-addr` to fixed address
- ErrImagePull when using `latest` docker image tag & embedded registry in air-gapped cluster HOT 2
- K3S agent starting on Google Coral crashes the host kernel due to nf_conntrack_netlink kernel module HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s.