fix(anisette): docker.io/ image prefix to pass Kyverno require-trusted-registries
Some checks failed
ci/woodpecker/push/default Pipeline was canceled
Some checks failed
ci/woodpecker/push/default Pipeline was canceled
First apply was denied at admission — a bare dadoum/anisette-v3-server@sha256 ref isn't in the trusted-registries allowlist (only enumerated DockerHub user-repo prefixes are). docker.io/* IS allowlisted, so use the explicit registry prefix; still pulls via the 10.0.20.10 pull-through cache. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
0bfa6f0774
commit
96addf65b4
1 changed files with 9 additions and 1 deletions
|
|
@ -78,7 +78,15 @@ resource "kubernetes_deployment" "anisette" {
|
||||||
spec {
|
spec {
|
||||||
container {
|
container {
|
||||||
# Pinned by digest — upstream ships only a mutable :latest (no tags).
|
# Pinned by digest — upstream ships only a mutable :latest (no tags).
|
||||||
image = "dadoum/anisette-v3-server@sha256:1e20384985d3c49965f444bef39d627768dacc39ea0dca91f2a535edb7591ba3"
|
# The `docker.io/` prefix is REQUIRED, not cosmetic: the Kyverno
|
||||||
|
# require-trusted-registries policy allowlists `docker.io/*` but NOT a
|
||||||
|
# bare `dadoum/*` prefix (only enumerated DockerHub user repos like
|
||||||
|
# mendhak/*, mpepping/* are listed in
|
||||||
|
# stacks/kyverno/modules/kyverno/security-policies.tf). A bare
|
||||||
|
# `dadoum/anisette-v3-server@...` is denied at admission; the explicit
|
||||||
|
# docker.io/ registry matches the allowlist and still pulls via the
|
||||||
|
# 10.0.20.10 pull-through cache.
|
||||||
|
image = "docker.io/dadoum/anisette-v3-server@sha256:1e20384985d3c49965f444bef39d627768dacc39ea0dca91f2a535edb7591ba3"
|
||||||
name = "anisette"
|
name = "anisette"
|
||||||
port {
|
port {
|
||||||
name = "http"
|
name = "http"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue