Reputation: 3739
Kubernetes : Mechanism to prevent pod with images on certain clusters
In our kubernetes cluster setup, we normally have 2 types of setups: prod and dev. The clusters have tags/labels as well as env variables to identify them as such.
Some of our images are designed to dev but not prod and vice-versa (differences are in the custom binaries that are installed within the org). Right now, when the pods start , they do not fail at startup but are functionally useless because the accurate binaries are missing. Is there a way to prevent a prod pod to not start with an image named dev (and vice-versa)
Upvotes: 1
Views: 189
Answers (1)
Reputation: 18351
Kubernetes provides a few ways to enforce your organizational policies, some are as follow:
using ImagePolicyWebhook:
You can use ImagePolicyWebhook to enforce your image usage policies by doing ImageReview. More info here.
Using validation webhook:
A validation webhook intercepts the request for pod creation, You can write your business logic in the webhook code, and it will enforce using the admission review. You can find more here and here.
Using OPA Gatekeeper:
Alternatively, you may use OPA Gatekeeper for policy enforcement. You can get more info here.
Note that each option listed above are huge topic on its own. You might need to choose the best-suited option for your use case.
Upvotes: 3
Related Questions
- Pod with multiple images
- Kubernetes Restrict Node to run labeled pods only
- Pod with a single container and multiple images
- Prevent a user to spawn pod in restricted namespace on kubernetes
- Kubernetes: How To Ensure That Pod A Only Ends Up On Nodes Where Pod B Is Running
- Restricting Kubernetes pod to one process
- Prevent kube-system pods from running on a specific node
- Allow only one pod of a type on a node in Kubernetes
- kubernetes: how to make sure that no user pods are run on master
- Kubernetes: creating pod with specific environments