Automatically Rewrite Container Image References in Kubernetes

https://github.com/flemzord/mutating-registry-webhook

10•flemzord•7mo ago

Comments

flemzord•7mo ago

I’ve developed a Kubernetes mutating admission webhook that intercepts Pod creation and update requests to automatically rewrite container image references based on configurable rules. This facilitates redirecting images from public registries (like Docker Hub, GCR, Quay.io) to internal mirrors or caches, enhancing reliability and security.

remram•7mo ago

I thought this was possible to do with CEL but it looks like this has barely reached alpha: https://kubernetes.io/docs/reference/access-authn-authz/muta...

Webhooks like yours will still be needed for a while (or programmable frameworks like Kyverno).

antonvs•7mo ago

How would this interact with IaC systems like ArgoCD - I imagine conflicts would be detected and ArgoCD would try to autosync to restore the cluster state to match the repo.

remram•7mo ago

I wonder if you can build this into your container runtime config instead. Automatically rewriting is nice but you will still see the rewritten image when reading from the API server.

compsciphd•7mo ago

what I came to say. There's no reason this shouldn't be in the container runtime.

I'm not the biggest fan of mutating webhooks (vs validating ones), due to the fact that what you set is no longer what you see.

Now, its "cute" to be able to do it this way and the mutating webhook does solve a real problem by acting as a "virtualization layer", but that only really works if you want a write only system (which IMO somewhat defeats the point of kubernetes).

Now it could be that such a tool is valuable to motivate the need for this functionality to be actually be a configurable option within the container runtime, and without such a tool we wouldn't be able to really demonstrate the need.

nonameiguess•7mo ago

You can do this with containerd registry mirrors. The syntax of the rewrite rules is even the same.

athorax•7mo ago

Yeah curious what the benefit would be here vs configuring containerd mirrors https://github.com/containerd/containerd/blob/main/docs/host...

I guess if you don't control the platform you are running on this is a way to do it in "userspace"

doctorpangloss•7mo ago

Of course, being able to deploy this inside of Kubernetes itself is a huge boon.

It was a mistake to make the image registry and its configuration hosted outside the cluster. It makes no sense. You should be able to configure containerd registries effortlessly from inside the cluster.

sscarduzio•7mo ago

Would this help in case of air gapped environments? You just run the registry in the internal network and use the rewrite. Am I right? Any catch?

Take a trip to Japan's Dododo Land, the most irritating place on Earth

British drivers over 70 to face eye tests every three years

BookTalk: A Reading Companion That Captures Your Voice

Is AI "good" yet? – tracking HN's sentiment on AI coding

Show HN: Amdb – Tree-sitter based memory for AI agents (Rust)

OpenClaw Partners with VirusTotal for Skill Security

Show HN: Seedance 2.0 Release

Leisure Suit Larry's Al Lowe on model trains, funny deaths and Disney

Towards Self-Driving Codebases

VCF West: Whirlwind Software Restoration – Guy Fedorkow [video]

Show HN: COGext – A minimalist, open-source system monitor for Chrome (<550KB)

FOSDEM 26 – My Hallway Track Takeaways

Show HN: Env-shelf – Open-source desktop app to manage .env files

Show HN: Almostnode – Run Node.js, Next.js, and Express in the Browser

Dell support (and hardware) is so bad, I almost sued them

Project Pterodactyl: Incremental Architecture

Styling: Search-Text and Other Highlight-Y Pseudo-Elements

Crypto firm accidentally sends $40B in Bitcoin to users

Magnetic fields can change carbon diffusion in steel

Fantasy football that celebrates great games

Show HN: Animalese

StrongDM's AI team build serious software without even looking at the code

John Haugeland on the failure of micro-worlds

Show HN: Velocity - Free/Cheaper Linear Clone but with MCP for agents

Corning Invented a New Fiber-Optic Cable for AI and Landed a $6B Meta Deal [video]

Show HN: XAPIs.dev – Twitter API Alternative at 90% Lower Cost

Near-Instantly Aborting the Worst Pain Imaginable with Psychedelics

Show HN: Nginx-defender – realtime abuse blocking for Nginx

The Super Sharp Blade

Smart Homes Are Terrible