GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → google → k8s-digester

google / k8s-digester

Licence: Apache-2.0 license
Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.

Programming Languages

go
31211 projects - #10 most used programming language

Labels

dockerkubernetescontainersgcpgkek8sgoogle-cloud-platformcontainer-registrykptgoogle-kubernetes-enginekustomizebinary-authorization

Projects that are alternatives of or similar to k8s-digester

gke-demo
Demonstration of complete, fully-featured CI/CD and cloud automation for microservices, done with GCP/GKE
Stars: ✭ 47 (-27.69%)
Mutual labels:  gcp, gke, kustomize
khelm
A Helm chart templating CLI, kpt function and kustomize plugin
Stars: ✭ 46 (-29.23%)
Mutual labels:  k8s, kpt, kustomize
gke-anthos-holistic-demo
This repository guides you through deploying a private GKE cluster and provides a base platform for hands-on exploration of several GKE related topics which leverage or integrate with that infrastructure. After completing the exercises in all topic areas, you will have a deeper understanding of several core components of GKE and GCP as configure…
Stars: ✭ 55 (-15.38%)
Mutual labels:  gcp, gke, binary-authorization
laravel-php-k8s
Just a simple port of renoki-co/php-k8s for easier access in Laravel
Stars: ✭ 71 (+9.23%)
Mutual labels:  gke, k8s, google-kubernetes-engine
Grpc Gke Nlb Tutorial
gRPC load-balancing on GKE using Envoy
Stars: ✭ 42 (-35.38%)
Mutual labels:  gcp, k8s, google-cloud-platform
awesome-bigquery-views
Useful SQL queries for Blockchain ETL datasets in BigQuery.
Stars: ✭ 325 (+400%)
Mutual labels:  gcp, google-cloud-platform
Gcloud
GitHub Action for interacting with Google Cloud Platform (GCP)
Stars: ✭ 153 (+135.38%)
Mutual labels:  gcp, google-cloud-platform
Goth
Elixir package for Oauth authentication via Google Cloud APIs
Stars: ✭ 191 (+193.85%)
Mutual labels:  gcp, google-cloud-platform
deploy-appengine
A GitHub Action that deploys source code to Google App Engine.
Stars: ✭ 184 (+183.08%)
Mutual labels:  gcp, google-cloud-platform
Gcpsketchnote
If you are looking to become a Google Cloud Engineer , then you are at the right place. GCPSketchnote is series where I share Google Cloud concepts in quick and easy to learn format.
Stars: ✭ 2,631 (+3947.69%)
Mutual labels:  gcp, google-cloud-platform
GCP
All files containing commands which can be used to complete GCP quests and challenge labs
Stars: ✭ 46 (-29.23%)
Mutual labels:  gcp, google-cloud-platform
gcp auth
Minimal authentication library for Google Cloud Platform (GCP)
Stars: ✭ 42 (-35.38%)
Mutual labels:  gcp, google-cloud-platform
Gardener
Kubernetes-native system managing the full lifecycle of conformant Kubernetes clusters as a service on Alicloud, AWS, Azure, GCP, OpenStack, EquinixMetal, vSphere, MetalStack, and Kubevirt with minimal TCO.
Stars: ✭ 2,093 (+3120%)
Mutual labels:  gcp, k8s
Gcp Data Engineer Exam
Study materials for the Google Cloud Professional Data Engineering Exam
Stars: ✭ 144 (+121.54%)
Mutual labels:  gcp, google-cloud-platform
Googlecloudarchitectprofessional
Resources to prepare for Google Certified Cloud Architect Professional Exam - 2017
Stars: ✭ 177 (+172.31%)
Mutual labels:  gcp, google-cloud-platform
Gcp Service Broker
Open Service Broker for Google Cloud Platform
Stars: ✭ 133 (+104.62%)
Mutual labels:  gcp, google-cloud-platform
auth
A GitHub Action for authenticating to Google Cloud.
Stars: ✭ 567 (+772.31%)
Mutual labels:  gcp, google-cloud-platform
gisjogja
GISJOGJA - aplikasi web based sistem informasi geografis (SIG) / GIS wisata kota JOGJA - www.firstplato.com
Stars: ✭ 17 (-73.85%)
Mutual labels:  gcp, google-cloud-platform
build-a-platform-with-krm
Build a platform with the Kubernetes resource model!
Stars: ✭ 55 (-15.38%)
Mutual labels:  gke, kustomize
augle
Auth + Google = Augle
Stars: ✭ 22 (-66.15%)
Mutual labels:  gcp, google-cloud-platform
View All Similar Projects ➔

Digester

Digester resolves tags to digests for container and init container images in Kubernetes Pod and Pod template specs.

It replaces container image references that use tags:

spec:
  containers:
  - image: gcr.io/google-containers/echoserver:1.10

With references that use the image digest:

spec:
  containers:
  - image: gcr.io/google-containers/echoserver:1.10@sha256:cb5c1bddd1b5665e1867a7fa1b5fa843a47ee433bbb75d4293888b71def53229

Digester can run either as a mutating admission webhook in a Kubernetes cluster, or as a client-side Kubernetes Resource Model (KRM) function with the kpt or kustomize command-line tools.

If a tag points to an image index or manifest list, digester resolves the tag to the digest of the image index or manifest list.

The webhook is opt-in at the namespace level by label, see Deploying the webhook.

If you use Binary Authorization, digester can help to ensure that only verified container images can be deployed to your clusters. A Binary Authorization attestation is valid for a particular container image digest. You must deploy container images by digest so that Binary Authorization can verify the attestations for the container image. You can use digester to deploy container images by digest.

Running the KRM function

  1. Download the digester binary for your platform from the Releases page.

    Alternatively, you can download the latest version using these commands:

    VERSION=v0.1.10
curl -Lo digester "https://github.com/google/k8s-digester/releases/download/${VERSION}/digester_$(uname -s)_$(uname -m)"
chmod +x digester

  2. Install kpt v1.0.0-beta.1 or later, and/or install kustomize v3.7.0 or later.

  3. Run the digester KRM function using either kpt or kustomize:

    • Using kpt:

      kpt fn eval [manifest directory] --exec ./digester

    • Using kustomize:

      kustomize fn run [manifest directory] --enable-exec --exec-path ./digester

    By running as an executable, the digester KRM function has access to container image registry credentials in the current environment, such as the current user's Docker config file and credential helpers. For more information, see the digester documentation on Authenticating to container image registries.

Deploying the webhook

The digester webhook requires Kubernetes v1.16 or later.

  1. If you use Google Kubernetes Engine (GKE), grant yourself the cluster-admin Kubernetes cluster role:

    kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole cluster-admin \
    --user "$(gcloud config get core/account)"

  2. Install the digester webhook in your Kubernetes cluster:

    VERSION=v0.1.10
kubectl apply -k "https://github.com/google/k8s-digester.git/manifests/?ref=${VERSION}"

  3. Add the digest-resolution: enabled label to namespaces where you want the webhook to resolve tags to digests:

    kubectl label namespace [NAMESPACE] digest-resolution=enabled

To configure how the webhook authenticates to your container image registries, see the documentation on Authenticating to container image registries.

If you want to install the webhook using kpt, follow the steps in the package documentation.

If you want to apply a pre-rendered manifest, you can download an all-in-one manifest file for a released version from the Releases page.

Private clusters

If you install the webhook in a private Google Kubernetes Engine (GKE) cluster, you must add a firewall rule. In a private cluster, the nodes only have internal IP addresses. The firewall rule allows the API server to access the webhook running on port 8443 on the cluster nodes.

  1. Create an environment variable called CLUSTER. The value is the name of your cluster that you see when you run gcloud container clusters list:

    CLUSTER=[your private GKE cluster name]

  2. Look up the IP address range for the cluster API server and store it in an environment variable:

    API_SERVER_CIDR=$(gcloud container clusters describe $CLUSTER \
    --format 'value(privateClusterConfig.masterIpv4CidrBlock)')

  3. Look up the network tags for your cluster nodes and store them comma-separated in an environment variable:

    TARGET_TAGS=$(gcloud compute firewall-rules list \
    --filter "name~^gke-$CLUSTER" \
    --format 'value(targetTags)' | uniq | paste -d, -s -)

  4. Create a firewall rule that allow traffic from the API server to the cluster nodes on TCP port 8443:

    gcloud compute firewall-rules create allow-api-server-to-digester-webhook \
    --action ALLOW \
    --direction INGRESS \
    --source-ranges "$API_SERVER_CIDR" \
    --rules tcp:8443 \
    --target-tags "$TARGET_TAGS"

You can read more about private cluster firewall rules in the GKE private cluster documentation.

Documentation

Disclaimer

This is not an officially supported Google product.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].