Configuring PolicyServers to use private registries
It is possible to configure PolicyServers to use credentials of private OCI registries. This will allow those PolicyServers to download policies from public and private registries.
Once a PolicyServer is configured to access private registries, policies running on it and using the defined SDKs and lower level host capabilities APIs will be able to access private registries too. This is because PolicyServers expose that functionality through the defined policy SDKs and lower level host capability API. This is the case, for example, in policies that verify signatures of container images.
To achieve this, we will create a Secret containing the private registry credentials, and configure our PolicyServers' resources, and/or our Helm chart to use it.
Creating the Secret
PolicyServers support the usual
Docker config Secrets
, either of type kubernetes.io/dockercfg
or type kubernetes.io/dockerconfigjson
.
These secrets can be created with kubectl create secret docker-registry
.
The secret should be created in the same namespace where you run your PolicyServer. This follows the principle of least privilege, and allows different PolicyServers to validate OCI artifacts from different registries separately.
Creating this Secret for the PolicyServer can be done with the following command:
kubectl --namespace kubewarden create secret docker-registry secret-ghcr-docker \
--docker-username=myuser \
--docker-password=mypass123 \
--docker-server=myregistry.io
For more information on how to create the Docker Secrets, see the Kubernetes documentation.
Consuming the Secret in PolicyServers
Once you have the Secret created, it is necessary to configure the PolicyServer
instance by setting the spec.imagePullSecret
field with the name of the Secret that
contains the credentials:
# Example of a PolicyServer using a private registry
apiVersion: policies.kubewarden.io/v1
kind: PolicyServer
metadata:
name: default
spec:
image: ghcr.io/kubewarden/policy-server:v1.1.1
serviceAccountName: policy-server
replicas: 1
annotations:
imagePullSecret: "secret-ghcr-docker"
Consuming the Secret in Helm charts
When deployed from the kubewarden-defaults
Helm chart, you can set the
policyServer.imagePullSecret
value with the Secret name. Thus,
the created default policy server will be able to download policies from your
private registry as well:
# values file example
policyServer:
telemetry:
enabled: False
imagePullSecret: secret-ghcr-docker