使用 Kyverno将ImagePullSecrets注入Kubernetes Pod

使用 Kyverno将ImagePullSecrets注入Kubernetes Pod

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

添加docker镜像仓库密钥,可以指定namespace,但是下面配置需要修改

kubectl create secret docker-registry <imagename> --docker-server='<image registry>' --docker-username='<username>' --docker-password='<auth-token>'

自行调整镜像密钥名称及名称空间,下面文件包含了pod,dm,ds,sts,job,cronjob的注入,不需要这么的可自行删除

vim add-imagepullsecret.yaml
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: syncsync-secrets
  annotations:
    policies.kyverno.io/title: Clone imagePullSecret secret to new namespaces
    policies.kyverno.io/subject: Namespace
    policies.kyverno.io/description: >-
      ImagePullSecrets must be present in the same namespace as the pods using them.
      This policy monitors for new namespaces being created (except kube-system and kyverno),
      and automatically clones into the namespace the `ocirsecret` from the `default` namespace.
spec:
  generateExisting: true
  rules:
  - name: sync-image-pull-secret
    match:
      any:
      - resources:
          kinds:
          - Namespace
    generate:
      apiVersion: v1
      kind: Secret
      name: tencent-bloom
      namespace: "{{ request.object.metadata.name }}"
      synchronize: true
      clone:
        namespace: default 
        name: <imagename>
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-imagepullsecrets
  annotations:
    policies.kyverno.io/title: Add imagePullSecrets
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Images coming from certain registries require authentication in order to pull them,
      and the kubelet uses this information in the form of an imagePullSecret to pull
      those images on behalf of your Pod. This policy searches pod spec for images coming from a
      registry which contains `phx.ocir.io/axaxnpcrorw5` and, if found, will mutate the Pod
      to add an imagePullSecret called `ocirsecret`.
spec:
  rules:
  - name: add-imagepullsecret
    match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchStrategicMerge:
        spec:
          imagePullSecrets:
          - name: <imagename>
  - name: autogen-add-imagepullsecret
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
    mutate:
      patchStrategicMerge:
        spec:
          template:
            spec:
              imagePullSecrets:
              - name: <imagename>
  - name: add-cronjob-imagepullsecret
    match:
      any:
      - resources:
          kinds:
          - CronJob
    mutate:
      patchStrategicMerge:
        spec:
          jobTemplate:
            spec:
              template:
                spec:
                  imagePullSecrets:
                  - name: <imagename>
kubectl apply -f add-imagepullsecret.yaml
Licensed under CC BY-NC-SA 4.0