Image Swapper 1.0: Container Image Mirroring and Security
K8s Guru
2 min read
Table of Contents
Introduction
Image Swapper 1.0, released on July 28, 2023, is most relevant if you’re hardening clusters without turning every deploy into a support ticket. The real value is in rollout safety: tighter controls with fewer false positives, clearer policy outcomes, and smoother day-2 response when something is blocked.
Image Mirroring
- Automatic mirroring enables automatic copying of images from public registries to private registries.
- Namespace-based policies allow different mirroring strategies per namespace or workload.
- Registry management supports multiple source and destination registries.
- Sync capabilities ensure images stay up-to-date between registries.
Security Scanning Integration
- Vulnerability scanning integration enables automatic security scanning before image deployment.
- Policy enforcement provides blocking of images with critical vulnerabilities.
- Scan results storage enables tracking and auditing of security scan results.
- Compliance reporting provides visibility into image security posture.
Image Swapping
- Automatic swapping replaces image references with mirrored versions at admission time.
- Transparent operation ensures no changes required to application manifests.
- Selector support enables fine-grained control over which images are swapped.
- Fallback mechanisms provide graceful handling when mirrors are unavailable.
Policy Management
- Allow lists enable defining approved image registries and sources.
- Deny lists provide blocking of untrusted or prohibited image sources.
- Registry policies enable different policies per registry or namespace.
- RBAC integration provides fine-grained permissions for policy management.
Getting Started
kubectl apply -f https://github.com/estahn/k8s-image-swapper/releases/download/v1.0.0/release.yaml
Configure Image Swapper:
apiVersion: v1
kind: ConfigMap
metadata:
name: image-swapper-config
namespace: image-swapper-system
data:
config.yaml: |
sourceRegistries:
- docker.io
- quay.io
targetRegistry: registry.example.com
mirroring:
enabled: true
namespaceSelector:
matchLabels:
enable-mirroring: "true"
security:
scanning:
enabled: true
provider: trivy
failOnCritical: true
policies:
allowList:
- "registry.example.com/*"
denyList:
- "docker.io/unknown/*"
Create a MutatingWebhookConfiguration:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: image-swapper
webhooks:
- name: image-swapper.k8s.io
clientConfig:
service:
name: image-swapper-webhook
namespace: image-swapper-system
path: "/mutate"
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1"]
sideEffects: None
failurePolicy: Fail
Use image swapping in a namespace:
apiVersion: v1
kind: Namespace
metadata:
name: my-app
labels:
enable-mirroring: "true"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: my-app
spec:
template:
spec:
containers:
- name: app
# Original image - will be automatically swapped
image: nginx:latest
Summary
| Aspect | Details |
|---|---|
| Release Date | July 28, 2023 |
| Headline Features | Automatic image mirroring, security scanning integration, image swapping, policy management |
| Why it Matters | Delivers automated container image management with security scanning and policy enforcement for enhanced security and compliance |
Image Swapper 1.0 provides teams with powerful capabilities for managing container images with automated mirroring, security scanning, and policy enforcement to enhance Kubernetes security posture.