Image Swapper 0.1: Container Image Mirroring for Kubernetes
Table of Contents
Introduction
Image sources are one of the fastest ways Kubernetes platforms drift out of control: different teams pull from different registries, clusters depend on public availability, and security/compliance requirements show up late — usually during an incident or an audit.
Image Swapper 0.1, released on October 15, 2020, tackles that problem at the right control point: admission. By automatically mirroring and swapping image references as Pods are created, the platform can enforce registry policy without asking every application team to rewrite manifests.
Common use cases
- Private-registry enforcement: allow images only from approved registries (and redirect everything else).
- Mirroring for reliability: reduce dependency on public registries and avoid surprise rate limits during large rollouts.
- Gradual registry migration: move workloads from one registry to another while keeping app YAML stable.
Image Mirroring
- Automatic mirroring enables copying images from public registries to private registries.
- Transparent swapping replaces image references at admission time without modifying manifests.
- Registry management supports multiple source and destination registries.
- Namespace-based policies allow different mirroring strategies per namespace.
Security Features
- Registry allow listing enables restricting image sources to approved registries.
- Image validation provides basic validation of image references.
- Policy enforcement ensures only approved images can be deployed.
- Audit logging tracks all image swap operations for compliance.
Kubernetes Integration
- Mutating webhook integration provides seamless operation at pod admission time.
- Transparent operation ensures no changes required to application manifests.
- RBAC integration provides fine-grained permissions for webhook operations.
- Namespace support enables different policies per namespace.
Getting Started
kubectl apply -f https://github.com/estahn/k8s-image-swapper/releases/download/v0.1.0/release.yaml
Configure Image Swapper:
apiVersion: v1
kind: ConfigMap
metadata:
name: image-swapper-config
namespace: image-swapper-system
data:
config.yaml: |
sourceRegistries:
- docker.io
targetRegistry: registry.example.com
mirroring:
enabled: true
Create a MutatingWebhookConfiguration:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: image-swapper
webhooks:
- name: image-swapper.k8s.io
clientConfig:
service:
name: image-swapper-webhook
namespace: image-swapper-system
path: "/mutate"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
Summary
| Aspect | Details |
|---|---|
| Release Date | October 15, 2020 |
| Headline Features | Automatic image mirroring, registry policies, transparent image swapping |
| Why it Matters | Delivers automated container image management with registry policy enforcement for enhanced security |
Image Swapper 0.1 introduces a new approach to container image management in Kubernetes, enabling automated mirroring and policy enforcement for improved security and compliance.