helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
添加docker镜像仓库密钥,可以指定namespace,但是下面配置需要修改
kubectl create secret docker-registry <imagename> --docker-server='<image registry>' --docker-username='<username>' --docker-password='<auth-token>'
自行调整镜像密钥名称及名称空间,下面文件包含了pod,dm,ds,sts,job,cronjob的注入,不需要这么的可自行删除
vim add-imagepullsecret.yaml
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: syncsync-secrets
annotations:
policies.kyverno.io/title: Clone imagePullSecret secret to new namespaces
policies.kyverno.io/subject: Namespace
policies.kyverno.io/description: >-
ImagePullSecrets must be present in the same namespace as the pods using them.
This policy monitors for new namespaces being created (except kube-system and kyverno),
and automatically clones into the namespace the `ocirsecret` from the `default` namespace.
spec:
generateExisting: true
rules:
- name: sync-image-pull-secret
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: v1
kind: Secret
name: tencent-bloom
namespace: "{{ request.object.metadata.name }}"
synchronize: true
clone:
namespace: default
name: <imagename>
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-imagepullsecrets
annotations:
policies.kyverno.io/title: Add imagePullSecrets
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Images coming from certain registries require authentication in order to pull them,
and the kubelet uses this information in the form of an imagePullSecret to pull
those images on behalf of your Pod. This policy searches pod spec for images coming from a
registry which contains `phx.ocir.io/axaxnpcrorw5` and, if found, will mutate the Pod
to add an imagePullSecret called `ocirsecret`.
spec:
rules:
- name: add-imagepullsecret
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
imagePullSecrets:
- name: <imagename>
- name: autogen-add-imagepullsecret
match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
mutate:
patchStrategicMerge:
spec:
template:
spec:
imagePullSecrets:
- name: <imagename>
- name: add-cronjob-imagepullsecret
match:
any:
- resources:
kinds:
- CronJob
mutate:
patchStrategicMerge:
spec:
jobTemplate:
spec:
template:
spec:
imagePullSecrets:
- name: <imagename>
kubectl apply -f add-imagepullsecret.yaml