Page MenuHomePhabricator
Create Task
Maniphest T133515

Write a k8s admission controller to enforce that all containers running come from our private repository
Closed, ResolvedPublic
Actions

Description

Right now we still run some containers from dockerhub (nagf?) and some from gcr.io (the 'pause' container). We need to move both of those off and then write an admission controller that only allows containers from docker-registry.tools.wmflabs.org to run.

Details

SubjectRepoBranchLines +/-
tools: Enable the Registry Enforceroperations/puppetproduction+8 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

yuvipanda created this task.Apr 25 2016, 1:49 AM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptApr 25 2016, 1:49 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
yuvipanda added a parent task: T129309: Goal: Allow using k8s instead of GridEngine as a backend for webservices.Apr 28 2016, 11:48 AM
yuvipanda created subtask T133873: Use a 'pause' container from our private repo, not gcr.io.Apr 28 2016, 11:53 AM
MoritzMuehlenhoff subscribed.Apr 28 2016, 11:56 AM
yuvipanda added a parent task: T133999: Provision a .kube/config file for all tools.Apr 29 2016, 7:13 PM
yuvipanda claimed this task.May 2 2016, 3:42 PM
Joe subscribed.May 2 2016, 4:18 PM
yuvipanda added a subscriber: Krinkle.May 3 2016, 11:42 AM

I've eliminated all running dockerhub based containers now \o/ This was just moving a few straggles in the PAWS infrastructure to our repo as well as moving @Krinkle's nagf to our repo.

gerritbot subscribed.May 9 2016, 10:05 AM

Change 287572 had a related patch set uploaded (by Yuvipanda):
Add a registry enforcer tests

https://gerrit.wikimedia.org/r/287572

gerritbot added a project: Patch-For-Review.May 9 2016, 10:05 AM
yuvipanda added a comment.May 9 2016, 10:57 AM

Nagf has been moved as well.

yuvipanda closed subtask T133873: Use a 'pause' container from our private repo, not gcr.io as Resolved.May 9 2016, 11:28 AM
gerritbot added a comment.May 13 2016, 1:35 AM

Change 288563 had a related patch set uploaded (by Yuvipanda):
tools: Enable the Registry Enforcer

https://gerrit.wikimedia.org/r/288563

gerritbot added a comment.May 13 2016, 1:46 AM

Change 288563 merged by Yuvipanda:
tools: Enable the Registry Enforcer

https://gerrit.wikimedia.org/r/288563

yuvipanda mentioned this in rOPUPae3d9f7d1702: tools: Enable the Registry Enforcer.May 13 2016, 1:50 AM
yuvipanda added a comment.May 13 2016, 1:54 AM

When attempting to use gcr.io containers...

root@tools-k8s-master-01:/home/yuvipanda# kubectl --namespace=kube-system describe rc/kube-dns-v9
Name:		kube-dns-v9
Namespace:	kube-system
Image(s):	gcr.io/google_containers/etcd:2.0.9,gcr.io/google_containers/kube2sky:1.11,gcr.io/google_containers/skydns:2015-10-13-8c72f8c,gcr.io/google_containers/exechealthz:1.0
Selector:	k8s-app=kube-dns,version=v9
Labels:		k8s-app=kube-dns,kubernetes.io/cluster-service=true,version=v9
Replicas:	0 current / 1 desired
Pods Status:	0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Volumes:
  etcd-storage:
    Type:	EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:	
  ca:
    Type:	HostPath (bare host directory volume)
    Path:	/etc/ssl/certs
Events:
  FirstSeen	LastSeen	Count	From				SubobjectPath	Type		Reason		Message
  ---------	--------	-----	----				-------------	--------	------		-------
  33s		29s		3	{replication-controller }			Warning		FailedCreate	Error creating: Attempt to use docker image not in approved registry

\o/

yuvipanda closed this task as Resolved.May 13 2016, 1:59 AM

Aaaand, works otherwise! \o/

I call this done now.

yuvipanda mentioned this in rOPUPde803881644c: tools: Enable the Registry Enforcer.Jun 17 2016, 6:09 PM
yuvipanda mentioned this in rOPUP71f06fc35f5c: tools: Enable the Registry Enforcer.
yuvipanda mentioned this in rOPUP6abaacb09820: tools: Enable the Registry Enforcer.
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL