{"id":14975834,"url":"https://github.com/google/k8s-digester","last_synced_at":"2025-04-04T13:05:20.603Z","repository":{"id":40565859,"uuid":"346173833","full_name":"google/k8s-digester","owner":"google","description":"Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.","archived":false,"fork":false,"pushed_at":"2025-03-13T01:27:59.000Z","size":267,"stargazers_count":135,"open_issues_count":5,"forks_count":19,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-28T12:02:06.483Z","etag":null,"topics":["binary-authorization","container-registry","containers","docker","gcp","gke","go","google-cloud-platform","google-kubernetes-engine","k8s","kpt","kubernetes","kustomize"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-09T23:34:07.000Z","updated_at":"2025-03-27T19:23:48.000Z","dependencies_parsed_at":"2023-02-18T08:31:10.496Z","dependency_job_id":"1d23b3c5-a6a6-4ffe-b0b8-7ec72917abbd","html_url":"https://github.com/google/k8s-digester","commit_stats":{"total_commits":57,"total_committers":8,"mean_commits":7.125,"dds":0.4035087719298246,"last_synced_commit":"d804009f35553afa9081f4cfc8913b1416be818f"},"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fk8s-digester","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fk8s-digester/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fk8s-digester/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fk8s-digester/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/k8s-digester/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247174463,"owners_count":20896078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-authorization","container-registry","containers","docker","gcp","gke","go","google-cloud-platform","google-kubernetes-engine","k8s","kpt","kubernetes","kustomize"],"created_at":"2024-09-24T13:52:44.350Z","updated_at":"2025-04-04T13:05:20.582Z","avatar_url":"https://github.com/google.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Digester\n\nDigester resolves tags to\n[digests](https://cloud.google.com/solutions/using-container-images) for\ncontainer and init container images in Kubernetes\n[Pod](https://kubernetes.io/docs/concepts/workloads/pods/) and\n[Pod template](https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates)\nspecs.\n\nIt replaces container image references that use tags:\n\n```yaml\nspec:\n  containers:\n  - image: gcr.io/google-containers/echoserver:1.10\n```\n\nWith references that use the image digest:\n\n```yaml\nspec:\n  containers:\n  - image: gcr.io/google-containers/echoserver:1.10@sha256:cb5c1bddd1b5665e1867a7fa1b5fa843a47ee433bbb75d4293888b71def53229\n```\n\nDigester can run either as a\n[mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)\nin a Kubernetes cluster, or as a client-side\n[Kubernetes Resource Model (KRM) function](https://kpt.dev/book/02-concepts/03-functions)\nwith the [kpt](https://kpt.dev/) or\n[kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/)\ncommand-line tools.\n\nIf a tag points to an\n[image index](https://github.com/opencontainers/image-spec/blob/master/image-index.md#oci-image-index-specification)\nor\n[manifest list](https://docs.docker.com/registry/spec/manifest-v2-2/#manifest-list),\ndigester resolves the tag to the digest of the image index or manifest list.\n\nThe webhook is opt-in at the namespace level by label, see\n[Deploying the webhook](#deploying-the-webhook).\n\nIf you use\n[Binary Authorization](https://cloud.google.com/binary-authorization/docs),\ndigester can help to ensure that only verified container images can be deployed\nto your clusters. A Binary Authorization\n[attestation](https://cloud.google.com/binary-authorization/docs/key-concepts#attestations)\nis valid for a particular container image digest. You must deploy container\nimages by digest so that Binary Authorization can verify the attestations for\nthe container image. You can use digester to deploy container images by digest.\n\n## Running the KRM function\n\n1.  Download the digester binary for your platform from the\n    [Releases page](../../releases).\n\n    Alternatively, you can download the latest version using these commands:\n\n    ```sh\n    VERSION=v0.1.16\n    curl -Lo digester \"https://github.com/google/k8s-digester/releases/download/${VERSION}/digester_$(uname -s)_$(uname -m)\"\n    chmod +x digester\n    ```\n\n2.  [Install kpt](https://kpt.dev/installation/) v1.0.0-beta.1 or later, and/or\n    [install kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/)\n    v3.7.0 or later.\n\n3.  Run the digester KRM function using either kpt or kustomize:\n\n    -   Using kpt:\n\n        ```sh\n        kpt fn eval [manifest directory] --exec ./digester\n        ```\n\n    -   Using kustomize:\n\n        ```sh\n        kustomize fn run [manifest directory] --enable-exec --exec-path ./digester\n        ```\n\n    By running as an executable, the digester KRM function has access to\n    container image registry credentials in the current environment, such as\n    the current user's\n    [Docker config file](https://github.com/google/go-containerregistry/blob/main/pkg/authn/README.md#the-config-file)\n    and\n    [credential helpers](https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol).\n    For more information, see the digester documentation on\n    [Authenticating to container image registries](docs/authentication.md).\n\n## Deploying the webhook\n\nThe digester webhook requires Kubernetes v1.16 or later.\n\n1.  If you use Google Kubernetes Engine (GKE), grant yourself the\n    `cluster-admin` Kubernetes\n    [cluster role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/):\n\n    ```sh\n    kubectl create clusterrolebinding cluster-admin-binding \\\n        --clusterrole cluster-admin \\\n        --user \"$(gcloud config get core/account)\"\n    ```\n    \n2.  Install the digester webhook in your Kubernetes cluster:\n\n    ```sh\n    VERSION=v0.1.16\n    kubectl apply -k \"https://github.com/google/k8s-digester.git/manifests/?ref=${VERSION}\"\n    ```\n\n3.  Add the `digest-resolution: enabled` label to namespaces where you want the\n    webhook to resolve tags to digests:\n\n    ```sh\n    kubectl label namespace [NAMESPACE] digest-resolution=enabled\n    ```\n\nTo configure how the webhook authenticates to your container image registries,\nsee the documentation on\n[Authenticating to container image registries](https://github.com/google/k8s-digester/blob/main/docs/authentication.md#authenticating-to-container-image-registries).\n\nIf you want to install the webhook using kustomize or kpt, follow the steps in\nthe [package documentation](manifests/README.md).\n\nIf you want to apply a pre-rendered manifest, you can download an all-in-one\nmanifest file for a released version from the [Releases page](../../releases).\n\n### Private clusters\n\nIf you install the webhook in a\n[private Google Kubernetes Engine (GKE) cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters),\nyou must add a firewall rule. In a private cluster, the nodes only have\n[internal IP addresses](https://cloud.google.com/vpc/docs/ip-addresses).\nThe firewall rule allows the API server to access the webhook running on port\n8443 on the cluster nodes.\n\n1.  Create an environment variable called `CLUSTER`. The value is the name of\n    your cluster that you see when you run `gcloud container clusters list`:\n\n    ```sh\n    CLUSTER=[your private GKE cluster name]\n    ```\n\n2.  Look up the IP address range for the cluster API server and store it in an\n    environment variable:\n\n    ```sh\n    API_SERVER_CIDR=$(gcloud container clusters describe $CLUSTER \\\n        --format 'value(privateClusterConfig.masterIpv4CidrBlock)')\n    ```\n\n3.  Look up the\n    [network tags](https://cloud.google.com/vpc/docs/add-remove-network-tags)\n    for your cluster nodes and store them comma-separated in an environment\n    variable:\n\n    ```sh\n    TARGET_TAGS=$(gcloud compute firewall-rules list \\\n        --filter \"name~^gke-$CLUSTER\" \\\n        --format 'value(targetTags)' | uniq | paste -d, -s -)\n    ```\n\n4.  Create a firewall rule that allow traffic from the API server to the \n    cluster nodes on TCP port 8443:\n\n    ```sh\n    gcloud compute firewall-rules create allow-api-server-to-digester-webhook \\\n        --action ALLOW \\\n        --direction INGRESS \\\n        --source-ranges \"$API_SERVER_CIDR\" \\\n        --rules tcp:8443 \\\n        --target-tags \"$TARGET_TAGS\"\n    ```\n\nYou can read more about private cluster firewall rules in the\n[GKE private cluster documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules).\n\n## Documentation\n\n-   [Tutorial](https://cloud.google.com/architecture/using-container-image-digests-in-kubernetes-manifests#using_digester)\n\n-   [Motivation](docs/motivation.md)\n\n-   [Recommendations](docs/recommendations.md)\n\n-   [Authenticating to container image registries](docs/authentication.md)\n\n-   [Configuring GKE Workload Identity for authenticating to Container Registry and Artifact Registry](docs/workload-identity.md)\n\n-   [Resolving common issues](docs/common-issues.md)\n\n-   [Troubleshooting](docs/troubleshooting.md)\n\n-   [Building digester](docs/build.md)\n\n-   [Developing digester](docs/development.md)\n\n-   [Releasing digester](docs/release.md)\n\n## Disclaimer\n\nThis is not an officially supported Google product.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fk8s-digester","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fk8s-digester","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fk8s-digester/lists"}