Right now we still run some containers from dockerhub (nagf?) and some from gcr.io (the 'pause' container). We need to move both of those off and then write an admission controller that only allows containers from docker-registry.tools.wmflabs.org to run.
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
tools: Enable the Registry Enforcer | operations/puppet | production | +8 -5 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | yuvipanda | T129309 Goal: Allow using k8s instead of GridEngine as a backend for webservices | |||
Resolved | yuvipanda | T133999 Provision a .kube/config file for all tools | |||
Resolved | yuvipanda | T133515 Write a k8s admission controller to enforce that all containers running come from our private repository | |||
Resolved | yuvipanda | T133873 Use a 'pause' container from our private repo, not gcr.io |
Event Timeline
Comment Actions
I've eliminated all running dockerhub based containers now \o/ This was just moving a few straggles in the PAWS infrastructure to our repo as well as moving @Krinkle's nagf to our repo.
Comment Actions
Change 287572 had a related patch set uploaded (by Yuvipanda):
Add a registry enforcer tests
Comment Actions
Change 288563 had a related patch set uploaded (by Yuvipanda):
tools: Enable the Registry Enforcer
Comment Actions
When attempting to use gcr.io containers...
root@tools-k8s-master-01:/home/yuvipanda# kubectl --namespace=kube-system describe rc/kube-dns-v9 Name: kube-dns-v9 Namespace: kube-system Image(s): gcr.io/google_containers/etcd:2.0.9,gcr.io/google_containers/kube2sky:1.11,gcr.io/google_containers/skydns:2015-10-13-8c72f8c,gcr.io/google_containers/exechealthz:1.0 Selector: k8s-app=kube-dns,version=v9 Labels: k8s-app=kube-dns,kubernetes.io/cluster-service=true,version=v9 Replicas: 0 current / 1 desired Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed Volumes: etcd-storage: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: ca: Type: HostPath (bare host directory volume) Path: /etc/ssl/certs Events: FirstSeen LastSeen Count From SubobjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 33s 29s 3 {replication-controller } Warning FailedCreate Error creating: Attempt to use docker image not in approved registry
\o/