imago icon indicating copy to clipboard operation
imago copied to clipboard

Published 20 hours ago verified publisher icon philpep

Implement imago as an AdmissionController

Open philpep opened this issue 6 years ago • 3 comments

The admission controller will modify the configured images with fixed digest and add imago annotation.

philpep avatar Mar 10 '19 15:03 philpep

Hello,

if imago runs as a service (for webhook or admission controller), would you also implement the scheduling in this service or would I need to run it as cron too?

If you do implement it into one service (which I'd prefer ;-) ), I suggest to allow to configure different filters for services that are handled by the admission controller and services that should be auto-updated. I can imagine multiple use cases:

Automated deployment on a staging environment for manual testing:

  • images have a version like 1.0.1-SNAPSHOT and are mutable
  • a kubectl or helm deployment is triggered via Jenkins
  • the admission controller rewrites 1.0.1-SNAPSHOT to the current hash, so the latest build is used
  • the cron should ignore this deployments so that manual testing does not get interrupted

Installation of security updates

  • a deployment with image tag 1.0 which is mutable and regulary updated to the latest 1.0.x version of the app
  • the cron does rewrites to the latest hash if the tag reference has changed
  • up to here this is possible without the admission controller. problem is that a redeployment is forced when the application is updated with helm/kubectl because the image tag would be changed back from the hash to the 1.0
  • so with the admission controller this whould be rewritten too.

To support both usecases within the same cluster, I'd configure the admission controller to filter on annotation or label "imago/rewrite-on-deployment" and the cron to filter on "imago/auto-rewrite" (or similar).

micw avatar Mar 12 '19 09:03 micw

Hi @micw , thanks for the suggestion ! Yes I think controlling the future AdmissionController behavior with annotations is the way to go for incremental use. Also maybe have an option to control this (check or not check annotations).

philpep avatar Mar 15 '19 17:03 philpep

I think Kyverno covers this use-case somewhat

https://kyverno.io/policies/other/resolve_image_to_digest/resolve-image-to-digest/

blairdrummond avatar Sep 28 '22 20:09 blairdrummond