Automatically Rewrite Container Image References in Kubernetes

https://github.com/flemzord/mutating-registry-webhook

10•flemzord•7mo ago

Comments

flemzord•7mo ago

I’ve developed a Kubernetes mutating admission webhook that intercepts Pod creation and update requests to automatically rewrite container image references based on configurable rules. This facilitates redirecting images from public registries (like Docker Hub, GCR, Quay.io) to internal mirrors or caches, enhancing reliability and security.

remram•7mo ago

I thought this was possible to do with CEL but it looks like this has barely reached alpha: https://kubernetes.io/docs/reference/access-authn-authz/muta...

Webhooks like yours will still be needed for a while (or programmable frameworks like Kyverno).

antonvs•7mo ago

How would this interact with IaC systems like ArgoCD - I imagine conflicts would be detected and ArgoCD would try to autosync to restore the cluster state to match the repo.

remram•7mo ago

I wonder if you can build this into your container runtime config instead. Automatically rewriting is nice but you will still see the rewritten image when reading from the API server.

compsciphd•7mo ago

what I came to say. There's no reason this shouldn't be in the container runtime.

I'm not the biggest fan of mutating webhooks (vs validating ones), due to the fact that what you set is no longer what you see.

Now, its "cute" to be able to do it this way and the mutating webhook does solve a real problem by acting as a "virtualization layer", but that only really works if you want a write only system (which IMO somewhat defeats the point of kubernetes).

Now it could be that such a tool is valuable to motivate the need for this functionality to be actually be a configurable option within the container runtime, and without such a tool we wouldn't be able to really demonstrate the need.

nonameiguess•7mo ago

You can do this with containerd registry mirrors. The syntax of the rewrite rules is even the same.

athorax•7mo ago

Yeah curious what the benefit would be here vs configuring containerd mirrors https://github.com/containerd/containerd/blob/main/docs/host...

I guess if you don't control the platform you are running on this is a way to do it in "userspace"

doctorpangloss•7mo ago

Of course, being able to deploy this inside of Kubernetes itself is a huge boon.

It was a mistake to make the image registry and its configuration hosted outside the cluster. It makes no sense. You should be able to configure containerd registries effortlessly from inside the cluster.

sscarduzio•7mo ago

Would this help in case of air gapped environments? You just run the registry in the internal network and use the rewrite. Am I right? Any catch?

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models

Ed Zitron: The Hater's Guide to Microsoft

UK infants ill after drinking contaminated baby formula of Nestle and Danone

Show HN: Android-based audio player for seniors – Homer Audio Player

Starter Template for Ory Kratos

LLMs are powerful, but enterprises are deterministic by nature

Make your iPad 3 a touchscreen for your computer