Menu
Article

Running remote IDE's using DevPod (4 of 5)

Yordi Pauptit

Yordi Pauptit

• 1 min read

Now software engineers are able to create their own namespace, and are automatically granted cluster-admin permissions within that namespace, we can continue on taking care of authentication.

DevPod builds the IDE image based on a few fields in the .devcontainer.json that we configured earlier. It hashes the configuration it grabs from the configuration, and uses that as a tag when it pushes it to the remote registry. Doing this makes sure that an image with a specific configuration is only built once, after which it can be used by just pulling the image.

Syncing the registry credentials

Set out in our requirement however, is the need to use a private registry. The DevPod application does not allow you to configure the imagePullSecrets needed to authenticate against the remote registry we have our images stored.

First, we'll use Kyverno to automatically sync the registry credentials to the newly created namespace. We can do this by creating a ClusterPolicy that clones the secret from a different namespace. Already located in our default namespace we have a kubernetes.io/dockerconfigjson type secret named credentials that we'll use as a source.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: create-image-pull-secret
spec:
  rules:
  - name: create-image-pull-secret
    match:
      any:
      - resources:
          kinds:
          - Namespace
    preconditions:
      any:
      - key: "{{request.userInfo.groups}}"
        operator: AnyIn
        value:
        - software-engineers
    generate:
      apiVersion: v1
      kind: Secret
      name: credentials
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      clone:
        namespace: default
        name: credentials

Using this ClusterPolicy, every namespace that is created by a person that is in the software-engineers group, automatically has the credentials secret from the default namespace synced to the new namespace.

Patching Pods with the imagePullSecrets

Now we'll want to automatically patch the Pods that DevPod creates with the imagePullSecret that is created within the namespace. We do this by applying a strategic merge to append the secret to containers that contain an image that targets our private registry. 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: patch-imagepullsecrets
spec:
  background: false
  rules:
  - name: patch-imagepullsecret
    match:
      any:
      - resources:
          kinds:
          - Pod
    preconditions:
      any:
      - key: "{{request.userInfo.groups}}"
        operator: AnyIn
        value:
        - software-engineers
    mutate:
      patchStrategicMerge:
        spec:
          containers:
          - <(image): "ghcr.io/yp28/*"
          imagePullSecrets:
          - name: credentials

We again limit this behaviour to Pods that are created by people that are in the software-engineers group.

Continue in part 5 of Running remote IDE's using DevPod

Share