Now software engineers are able to create their own namespace, and are automatically granted cluster-admin
permissions within that namespace, we can continue on taking care of authentication.
DevPod builds the IDE image based on a few fields in the .devcontainer.json
that we configured earlier. It hashes the configuration it grabs from the configuration, and uses that as a tag when it pushes it to the remote registry. Doing this makes sure that an image with a specific configuration is only built once, after which it can be used by just pulling the image.
Syncing the registry credentials
Set out in our requirement however, is the need to use a private registry. The DevPod application does not allow you to configure the imagePullSecrets
needed to authenticate against the remote registry we have our images stored.
First, we'll use Kyverno to automatically sync the registry credentials to the newly created namespace. We can do this by creating a ClusterPolicy
that clones the secret from a different namespace. Already located in our default
namespace we have a kubernetes.io/dockerconfigjson
type secret named credentials
that we'll use as a source.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: create-image-pull-secret
spec:
rules:
- name: create-image-pull-secret
match:
any:
- resources:
kinds:
- Namespace
preconditions:
any:
- key: "{{request.userInfo.groups}}"
operator: AnyIn
value:
- software-engineers
generate:
apiVersion: v1
kind: Secret
name: credentials
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: credentials
Using this ClusterPolicy
, every namespace that is created by a person that is in the software-engineers
group, automatically has the credentials
secret from the default
namespace synced to the new namespace.
Patching Pods with the imagePullSecrets
Now we'll want to automatically patch the Pods that DevPod creates with the imagePullSecret
that is created within the namespace. We do this by applying a strategic merge to append the secret to containers that contain an image that targets our private registry.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: patch-imagepullsecrets
spec:
background: false
rules:
- name: patch-imagepullsecret
match:
any:
- resources:
kinds:
- Pod
preconditions:
any:
- key: "{{request.userInfo.groups}}"
operator: AnyIn
value:
- software-engineers
mutate:
patchStrategicMerge:
spec:
containers:
- <(image): "ghcr.io/yp28/*"
imagePullSecrets:
- name: credentials
We again limit this behaviour to Pods that are created by people that are in the software-engineers
group.