-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: add documentation about handling mutable tags
- Loading branch information
1 parent
25fced3
commit b8a640e
Showing
1 changed file
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # How to handle mutable tags | ||
|
|
||
| > If one deploys a statefulset for an image like postgres:15 (PostgreSQL database), kube-image-keeper will cache the postgres:15 image the moment a corresponding pod gets created. This exact image is stored inside the kuik registry. | ||
| > Now if postgres:15 gets an update, which might be important for security reasons, and a developer tries to upgrade the pods, the cached version will be used and it won't be updated to the newer, security fixed version of postgres:15. | ||
| > And that person has to watch the log outputs in depth to find out that there was no update. | ||
| > | ||
| > For mutable tags like :latest the situation can be even worse as an developer assumes imagePullPolicy: Always. But unfortunately the image never gets an update in the future while kube-image-keeper is actively caching that image. This behavior is clearly completely different from the expected default behavior of imagePullPolicy: Always. | ||
| > | ||
| > @BernhardGruen in [#156](https://github.com/enix/kube-image-keeper/issues/156) | ||
| As described in the above issue, you may want to use mutable tags, but using kuik prevent you from getting updates on those images. We have implemented two features to tackle this issue. | ||
|
|
||
| ## Filter containers based on their pull policy | ||
|
|
||
| Using the value `.Values.controllers.webhook.ignorePullPolicyAlways`, you can ignore rewriting of containers that use the `imagePullPolicy: Always`, keeping them out of kuik and thus staying on the original behavior. It will also ignore images with the tag `:latest`. | ||
|
|
||
| The caveat with this method is that you no longer cache corresponding images, so you should enable it carefully. | ||
|
|
||
| ## Periodic updates | ||
|
|
||
| Another option is to periodically update images in the cache based on rules defined in the corresponding `Repository`, using `spec.updateInterval` and `spec.updateFilters` to update `CachedImages` at regular interval. For instance, to update the `:latest` and `:15` tag every hour, you can configure your repository as following: | ||
|
|
||
| ```yaml | ||
| apiVersion: kuik.enix.io/v1alpha1 | ||
| kind: Repository | ||
| metadata: | ||
| name: docker.io-library-postgres:15 | ||
| spec: | ||
| name: docker.io/library/postgres | ||
| updateInterval: 1h | ||
| updateFilters: | ||
| - 'latest' | ||
| - '15' | ||
| ``` | ||
| You can also use regexps to match images, for instance if you want to match all major versions, you could use `:\d+$`, which wil match `:14`, `:15`, `:16` (and so on...) but not `:15.8`. | ||
|
|
||
| It will then check every hour for updates on tags matching the updateFilters and pull new version of the image if the digest has changed. |