Contents:
- Tanzu Mission Control - Image Policies Lab Guide
- Introduction
- Lab Exercises
- Step 1: Go to the page of policies and select Image Policy
- Step 2: create an image policy
- Step 3: Deploying an application fails when the registry is not white listed
- Step 4: Deleting the application and image policy
- Step 5: Deploying an application succeeds when image policy is not present
- Validate Lab Guide
- Thank you for completing the Tanzu Mission Control - Image Policies Lab Guide!
Image Policy is a type of policy that regulates the behaviors of pulling images with a whitelist of image registry patterns that represent registry domains from which images are allowed to be pulled. This document is intended to provide a guide to exploring basic usages of image policies in TMC through its UI.
This lab has a completion difficulty of Partial. Please see the rubrik below for an explanation of lab completion difficulty rankings
Lab Completion Difficulty Rankings:
- Difficulty Levels:
Complete- A lab guide with a difficulty of
Completeincludes comprehensive, click-by-click instructions, usually with a screenshot for every command entered. Complete labs must be associated with an online lab environment fully prepped to execute the exact instructions provided in the lab guide. Most users could successfully execute the steps in aCompletelab guide, even if they do not have expertise in the subject, by following detailed instructions.
- A lab guide with a difficulty of
Partial- A lab guide with a difficulty of
Partialincludes full instructions to complete the exercise, with enough detail to where a user with moderate experience in the subject matter could complete the exercise.Partiallab guides provide a level of detail similar gto most typical technical documentation, where the user is expected to be able to configure their lab environment with dependencies required for the exercise, and to contextualize general instructions to the users own environment.
- A lab guide with a difficulty of
Challenge- A lab guide with a difficulty of
Challengeis designed to be technically challenging for the guide's target audience to complete.Challengelab guides do not include comprehensive instructions, and intentionally leave out details required to complete exercises as a challenge or test of the users proficiency in a topic.
- A lab guide with a difficulty of
The demo in this document is conducted with a development TMC stack in which a Kind cluster is attached.
In order to demonstrate applying an image policy on a namespace, namespace space6 under the default workspace has been created using TMC.
Screenshot
Go to the page of policies by clicking Policies.
Screenshot
Select Image Policy by clicking Image registry and then click WORKSPACES since image policies cannot be set at a cluster level.
Screenshot
Image policies can be created at an either workspace or namespace level. The policies set at a namespace and the policies set at its workspace(s) are additive for the namespace. For example, if namespace A has policy1 and namespace A's workspace E has policy2, then namespace A will have both policy1 and policy2 because it inherits policy2 from the parent workspace E.
In this step, select the workspace/namespace in which we like to set up image policies. For example, here we select the default workspace and select space6.
After selecting the workspace namespace, image policies can be added. Click ADD POLICY after specifying policy name and image registry patterns. Each image registry pattern represents one or more registry domains from which images can be pulled for deployment in the workspace/namespace.
Screenshot
As shown in the screenshot above, Wild Card matching is an optional feature supported by TMC. For example, ".bintray.io" is allowed while " abc..bintray.io" and " abc.*" are not allowed.
As shown in the screenshot above, specifying port number such as "*.harbor.com:6262" is an optional feature supported by TMC. Specifying port is only needed for registries using non-standard ports.
In the attached cluster, try to create a deployment in a namespace where the policy is in effect, with an image pulled from a registry not in the image policy's registry list. For example, creating a busybox deployment as shown below. This deployment will fail as the application is pulled from docker which is not whitelisted.
kubectl apply -f imagePullingTest.yaml
Expand to see contents of imagePullingTest.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: busybox
namespace: space6
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- image: busybox
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; printenv; do sleep 60; done;" ]
imagePullPolicy: IfNotPresent
name: busyboxWe can verify enforcement by displaying the deployment status as shown below:
kubectl get deployment busybox -n space6 -o yaml
We can see the FailedCreate condition with a message as to which images failed to validate against the image policy:
Screenshot
Run the command below to delete the demo deployment.
kubectl delete -f imagePullingTest.yaml
Delete the policy used in demo: go to the page of policies by clicking Policies in UI → click the workspace/namespace where the policy is set → click the policy and click delete.
kubectl apply -f imagePullingTest.yaml
Verify that the application is working normally.
kubectl get deployment busybox -n space6 -o yaml
Clean-up the application with the following command:
kubectl delete -f imagePullingTest.yaml
Now delete the namespace "space6" to complete the clean-up.
If you were able to complete this lab successfully without any significant problems, please sign the validate.md file located in this directory.
If you encountered any problems or have suggestions or feature requests, please open an issue ticket on this repository.
If you have any updates or improvements for this lab guide, please open a PR with your updates.