k8s-image-swapper
k8s-image-swapper copied to clipboard
estahn
AWS Support target "repository" as a prefix
currently images are pushed to ecr in /docker.io/ syntax in some cases where multiple eks clusters are in the same account in the same region but may not share authorized images a parent repository path is appropriate add a prefix to the aws target config and prepend the value to the target path to ensure separation as needed
@ryanfaircloth Interesting. Why would you want to separate those, as they would be identical?
We'd like this, but for a slightly different reason. We want to give k8s-image-swapper access to store images from arbitrary registries, but also in the same AWS account have our own images that it should not be able to write to.
Currently we're having to explicitly list out all the different registries that we're swapping - if we could put a prefix there it would be much simpler to use and reason about :)
(The reason for this is simply that our corporate security policy mandates least-privilege access control)
Without the prefix it's possible to trick image swapper into pulling a malicious image from another registry with the same name
@ryanfaircloth I'm just discussing some mechanics to change the source image in #660 and wondered if that could be useful in your case as well, but on the target end:
source:
filters:
- jmespath: "contains(container.image, '.dkr.ecr.') && contains(container.image, '.amazonaws.com')"
preprocessor:
- replace:
from: dkr.ecr.eu-west-1.amazonaws.com
to: dkr.ecr.us-east-1.amazonaws.com
In your case it's probably something like:
source:
filters:
- jmespath: "contains(container.image, '.dkr.ecr.') && contains(container.image, '.amazonaws.com')"
preprocessor:
- prefix: <myprefix>
target:
preprocessor:
- prefix: <myprefix>
Thoughts?