GitHunt
MA

maxtacu/ecr-pull-through

Mutating webhook for ECR pull-through

awsdockerhubecrkuberneteskyvernomutatingadmissionwebhookpull-throughregistry

ECR Pull-Through Cache Mutation Webhook ๐Ÿš€

A Kubernetes mutation webhook that automatically redirects container image pulls through Amazon ECR's pull-through cache, optimizing performance and reducing costs.

๐ŸŽฏ What It Does

This webhook intercepts pod creation requests in your Kubernetes cluster and automatically modifies container image references to use Amazon ECR's pull-through cache. This means:

  • โšก Faster image pulls through local caching
  • ๐Ÿ’ฐ Reduced network egress costs
  • ๐Ÿ”„ Seamless integration with existing deployments

๐Ÿšฆ Prerequisites

  1. ECR Pull-Through Cache Configuration
    You must manually configure pull-through cache for these registries:

    • ghcr.io
    • docker.io
    • registry.k8s.io
    • quay.io

    โš ๏ธ Important: Use registry-matching names for your configurations as required by this webhook.

    Example configuration:
    ECR Pull-Through Configuration

  2. IAM Configuration
    Check the aws-policies folder for:

    • Example lifecycle policies for Creation Templates
    • ECR Registry policy examples
    • Role configurations for EKS nodes

๐Ÿ“š For detailed ECR Pull-Through setup, see the AWS documentation.

๐Ÿ› ๏ธ Installation Options

  1. Clone the repository:

  2. Install the chart:

helm install ecr-pull-through -n kube-system chart/ecr-pull-through \
  --set awsAccount=123456789012 \
  --set awsRegion=us-west-2

๐Ÿ“ Prerequisites:

  • cert-manager must be installed in your cluster
  • The chart uses cert-manager to generate TLS certificates for the webhook

Option 2: Kyverno Policies

Note: docker.io support is limited in Kyverno configuration

  1. Find policies for docker.io, quay.io, registry.k8s.io, and ghcr.io in the kyverno folder
  2. Update AWS account ID in policies
  3. Apply to your cluster

Option 3: Manual Webhook Installation

  1. Clone this repository
  2. Go to manifests folder
  3. Configure manifests/configmap.yaml
  4. Ensure your kubectl context points to the target cluster
  5. Run ./install.sh

๐Ÿ”‘ Note: By default, the webhook only processes namespaces labeled with pull-through-enabled: "true". Modify manifests/bundle.yaml to change this behavior.

๐Ÿงช Testing

Use the sample pod manifests in the tests folder to verify the webhook's operation.

๐Ÿงน Maintenance

ECR Repository Cleanup

This might be useful if you are testing ECR Pull-through and want to occasionally cleanup pull-through registries.
Use ecr-cleanup.sh to remove pull-through generated repositories:

./ecr-cleanup.sh

๐Ÿ“„ License

This project is open-source and available under the MIT License.

Languages

Go66.8%Smarty14.0%Shell12.6%Makefile4.7%Dockerfile1.9%

Contributors

MAESDIRBRE
MIT License
Created February 18, 2024
Updated December 18, 2025
maxtacu/ecr-pull-through | GitHunt