All Policies

Replace Image Registry With Harbor

Some registries like Harbor offer pull-through caches for images from certain registries. Images can be re-written to be pulled from the redirected registry instead of the original and the registry will proxy pull the image, adding it to its internal cache. The imageData context variable in this policy provides a normalized view of the container image, allowing the policy to make decisions based on various "live" image details. As a result, it requires access to the source registry and the existence of the target image to verify those details.

Policy Definition

/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: replace-image-registry-with-harbor
 5  annotations:
 6    policies.kyverno.io/title: Replace Image Registry With Harbor
 7    pod-policies.kyverno.io/autogen-controllers: none
 8    policies.kyverno.io/category: Sample
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Pod
11    kyverno.io/kyverno-version: 1.11.4
12    kyverno.io/kubernetes-version: "1.27"
13    policies.kyverno.io/description: >-
14      Some registries like Harbor offer pull-through caches for images from certain registries.
15      Images can be re-written to be pulled from the redirected registry instead of the original and
16      the registry will proxy pull the image, adding it to its internal cache.
17      The imageData context variable in this policy provides a normalized view
18      of the container image, allowing the policy to make decisions based on various 
19      "live" image details. As a result, it requires access to the source registry and the existence
20      of the target image to verify those details.      
21spec:
22  rules:
23    - name: redirect-docker
24      match:
25        any:
26          - resources:
27              kinds:
28                - Pod
29              operations:
30                - CREATE
31                - UPDATE
32      mutate:
33        foreach:
34          - list: request.object.spec.initContainers[]
35            context:
36              - name: imageData
37                imageRegistry:
38                  reference: "{{ element.image }}"
39            preconditions:
40              any:
41                - key: "{{imageData.registry}}"
42                  operator: Equals
43                  value: index.docker.io
44            patchStrategicMerge:
45              spec:
46                initContainers:
47                  - name: "{{ element.name }}"
48                    image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
49          - list: request.object.spec.containers[]
50            context:
51              - name: imageData
52                imageRegistry:
53                  reference: "{{ element.image }}"
54            preconditions:
55              any:
56                - key: "{{imageData.registry}}"
57                  operator: Equals
58                  value: index.docker.io
59            patchStrategicMerge:
60              spec:
61                containers:
62                  - name: "{{ element.name }}"
63                    image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
Create policy issue