From 96addf65b40174715416ed18e41e44a2bdb97894 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 14 Jun 2026 19:47:05 +0000 Subject: [PATCH] fix(anisette): docker.io/ image prefix to pass Kyverno require-trusted-registries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First apply was denied at admission — a bare dadoum/anisette-v3-server@sha256 ref isn't in the trusted-registries allowlist (only enumerated DockerHub user-repo prefixes are). docker.io/* IS allowlisted, so use the explicit registry prefix; still pulls via the 10.0.20.10 pull-through cache. Co-Authored-By: Claude Opus 4.8 --- stacks/anisette/main.tf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/stacks/anisette/main.tf b/stacks/anisette/main.tf index a8fbb8ec..44c0f3a5 100644 --- a/stacks/anisette/main.tf +++ b/stacks/anisette/main.tf @@ -78,7 +78,15 @@ resource "kubernetes_deployment" "anisette" { spec { container { # Pinned by digest — upstream ships only a mutable :latest (no tags). - image = "dadoum/anisette-v3-server@sha256:1e20384985d3c49965f444bef39d627768dacc39ea0dca91f2a535edb7591ba3" + # The `docker.io/` prefix is REQUIRED, not cosmetic: the Kyverno + # require-trusted-registries policy allowlists `docker.io/*` but NOT a + # bare `dadoum/*` prefix (only enumerated DockerHub user repos like + # mendhak/*, mpepping/* are listed in + # stacks/kyverno/modules/kyverno/security-policies.tf). A bare + # `dadoum/anisette-v3-server@...` is denied at admission; the explicit + # docker.io/ registry matches the allowlist and still pulls via the + # 10.0.20.10 pull-through cache. + image = "docker.io/dadoum/anisette-v3-server@sha256:1e20384985d3c49965f444bef39d627768dacc39ea0dca91f2a535edb7591ba3" name = "anisette" port { name = "http"