Package for the digester Kubernetes mutating admission webhook.
The digester mutating admission webhook resolves tags to digests for container and init container images in Kubernetes CronJob, Pod and Pod template specs.
The digester webhook requires Kubernetes v1.16 or later.
If you use Google Kubernetes Engine (GKE), grant yourself the
cluster-admin
Kubernetes
cluster role:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user "$(gcloud config get core/account)"
To configure how the webhook authenticates to your container image registries, see the documentation on Authenticating to container image registries.
If you use a private GKE cluster, see additional steps for creating a firewall rule.
-
Install kustomize.
-
Apply this package:
VERSION=v0.1.15 kustomize build "https://github.com/google/k8s-digester.git/manifests?ref=$VERSION" | kubectl apply -f -
-
Add the
digest-resolution: enabled
label to namespaces where you want the webhook to resolve tags to digests:kubectl label namespace [NAMESPACE] digest-resolution=enabled
-
Install kpt v1.0.0-beta.1 or later.
-
Fetch this package:
VERSION=v0.1.15 kpt pkg get "https://github.com/google/k8s-digester.git/manifests@${VERSION}" manifests
-
Setup inventory tracking for the package:
kubectl create namespace digester-system kpt live init manifests
-
Apply the package:
kpt live apply manifests --reconcile-timeout=3m --output=table
-
Add the
digest-resolution: enabled
label to namespaces where you want the webhook to resolve tags to digests:kubectl label namespace [NAMESPACE] digest-resolution=enabled