如何仅从私有Docker注册表中拉取图像?

huangapple go评论63阅读模式
英文:

How to pull images from private docker registry only?

问题

有没有办法只从私有注册表拉取图像并阻止从公共注册表Docker Hub拉取图像?

我正在使用Nexus注册表,我已经成功配置并从中拉取图像。我正在尝试实现一种只能从我的私有注册表推送图像的方法,以便跟踪我正在使用的Docker图像,然后对其进行安全分析。但我仍然可以从我的计算机中拉取Docker Hub的图像。有没有办法阻止这个?

英文:

is there a way to only pull images from a private registry and blocking pulling images from the public registry, docker hub?

I'm using a Nexus registry that I was able to configure and pull images from. I'm trying to implement a way of only push images from my private registry so I can track what docker images I'm using and after that, apply some security analysis in that. But I can still pull images from docker hub in my computer. Is there a way to block that?

答案1

得分: 0

以下是翻译好的部分:

  • I assume here you are using Kubernetes:

    • 我假设你在使用Kubernetes:
  • Use an admission controller on the cluster that rewrite Pod spec to your internal registry:

    • 在集群上使用一个准入控制器,将Pod规范重写为内部注册表:
  • Container Runtimes have nowadays options to restrict registries, cri-o and containerd have this option:

    • 容器运行时现在具有限制注册表的选项,cri-o和containerd都具有此选项。
  • If you are using something like CNCF Harbor [1], [2] you can create proxies for 3rd party registries and then use Kyverno to rewrite the Pod spec:

    • 如果你正在使用类似CNCF Harbor的东西[1],[2],你可以为第三方注册表创建代理,然后使用Kyverno重写Pod规范。
  • Replace Image Registry with Kyverno:

    • 用Kyverno替换镜像注册表:
  • Rather than blocking Pods which come from outside registries, it is also possible to mutate them, so the pulls are directed to approved registries:

    • 与其阻止来自外部注册表的Pods,还可以对它们进行变异,以便将数据拉取到经批准的注册表中。
  • In some cases, those registries may function as pull-through proxies and can fetch the image if not cached:

    • 在某些情况下,这些注册表可能充当拉取代理,并且如果未缓存,它们可以获取镜像。
  • This policy mutates all images either in the form 'image:tag' or 'example.container-registry.com/image:tag' to be myregistry.corp.com/. Any path in the image name will be preserved:

    • 该策略将所有形式为'图像:标签'或'example.container-registry.com/图像:标签'的图像变异为myregistry.corp.com/。图像名称中的任何路径将被保留。
  • Note that this mutates Pods directly and not their controllers. It can be changed if desired, but if so, may need not match on Pods:

    • 请注意,这会直接变异Pod,而不是它们的控制器。如果需要,可以进行更改,但如果这样做,可能不需要匹配Pod。
  • This repo here has some examples: https://github.com/jvanzyl/kyverno-registries

    • 这个存储库中有一些示例:https://github.com/jvanzyl/kyverno-registries
英文:

There are different ways, how you can do it.

I assume here you are using Kubernetes:

  1. Use an admission controller on the cluster that rewrite Pod spec to your internal registry
  2. Container Runtimes have nowadays options to restrict registries, cri-o and containerd have this option.

If you are using something like CNCF Harbor [1], [2] you can create proxies for 3rd party registries and then user Kyverno to rewrite the Pod spec.

Replace Image Registry with Kyverno

Rather than blocking Pods which come from outside registries, it is also possible to mutate them, so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy mutates all images either in the form 'image:tag' or 'example.container-registry.com/image:tag' to be myregistry.corp.com/. Any path in the image name will be preserved. Note that this mutates Pods directly and not their controllers. It can be changed if desired, but if so, may need not match on Pods.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: replace-image-registries
spec:
  background: false
  rules:
    # We only allow a known set of approved registries to be used in our clusters
    - name: validate-registries
      match:
        resources:
          kinds:
          - Pod
      validate:
        message: "Unapproved image registry."
        pattern:
          spec:
            containers:
            - image: "example.container-registry.com/* | quay.io/* | gcr.io/* | ghcr.io/* | docker.io/*"

    # Rewrite all the references for our approved external registries
    - name: replace-registries
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
            - (name): "*"
              image: |-
                                {{ regex_replace_all('(quay.io|gcr.io|ghcr.io|docker.io)/(.*)', '{{@}}', 'example.container-registry.com/$1/$2') }}

    # At this point we expect everything that has a registry prefix to have been transformed
    # example.container-registry.com.*. We are left with references like:
    #
    # - velero/velero:v1.6.2
    # - nginx:latest
    # - nginx
    #
    # Without interfering with our newly rewritten references that start with example.container-registry.com
    - name: replace-docker
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
            - (name): "*"
              image: |-
                                {{ regex_replace_all('^([^example.container-registry.com].*)', '{{@}}', 'example.container-registry.com/docker.io/$1') }}

This repo here has some examples: https://github.com/jvanzyl/kyverno-registries

huangapple
  • 本文由 发表于 2023年2月8日 18:00:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/75384087.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定