Two containers not coming from registry1
Postgresql and nginx are not coming from registry1. Since OPA out of the box now will deny this, there should be a note on how to deploy this for newer versions of big bang.
Add the following to your bigbang configmap to fix deployment issues.
gatekeeper:
values:
violations:
allowedDockerRegistries:
parameters:
repos:
- releases-docker.jfrog.io
- docker.iodocker.io/bitnami/postgresql:13.2.0-debian-10-r55
releases-docker.jfrog.io/jfrog/nginx-artifactory-pro:7.21.7
Please let me know if this is on the roadmap to change or if this was noted by iron bank somewhere in the process? @ariel.shnitzer
Side note, I did try to deploy with iron bank open source nginx but was running into the following errors:
sh-4.2$ kubectl get po -n jfrog
NAME READY STATUS RESTARTS AGE
jfrog-jfrog-platform-artifactory-ha-member-0 1/1 Running 0 7m19s
jfrog-jfrog-platform-artifactory-ha-member-1 1/1 Running 0 4m50s
jfrog-jfrog-platform-artifactory-ha-primary-0 1/1 Running 0 7m19s
jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v 0/1 Running 0 7m20s
jfrog-jfrog-platform-postgresql-0 1/1 Running 0 7m17s
jfrog-jfrog-platform-rabbitmq-0 1/1 Running 0 7m18s
jfrog-jfrog-platform-xray-0 5/5 Running 0 7m18s
sh-4.2$ kubectl describe po jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v -n jfrog
Name: jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v
Namespace: jfrog
Priority: 0
Node: ip-10-0-10-133.us-gov-west-1.compute.internal/10.0.10.133
Start Time: Sat, 04 Dec 2021 03:28:44 +0000
Labels: app=artifactory-ha
chart=artifactory-ha-107.24.3
component=nginx
heritage=Helm
pod-template-hash=ccf9cdc69
release=jfrog-jfrog-platform
Annotations: checksum/nginx-artifactory-conf: 2259a43ba2d0f78a92fd370d4ddf9fc3567ff1af6b5993b200ef1eb2249c749b
checksum/nginx-conf: 25359512a08a5a17491a21482fdcd27c0c9994c64b7c1a0de23eacf8524fcaf1
kubernetes.io/psp: eks.privileged
Status: Running
IP: 10.0.10.41
IPs:
IP: 10.0.10.41
Controlled By: ReplicaSet/jfrog-jfrog-platform-nginx-ccf9cdc69
Init Containers:
setup:
Container ID: docker://bc7a2fdf4990d9f3846307c6678bbbe70b89f9bbbff5fc398e5e2e88561fd7a3
Image: releases-docker.jfrog.io/alpine:3.14.0
Image ID: docker-pullable://releases-docker.jfrog.io/alpine@sha256:1775bebec23e1f3ce486989bfc9ff3c4e951690df84aa9f926497d82f2ffca9d
Port: <none>
Host Port: <none>
Command:
/bin/sh
-c
rm -rfv /var/opt/jfrog/nginx/lost+found; mkdir -p /var/opt/jfrog/nginx/logs;
State: Terminated
Reason: Completed
Exit Code: 0
Started: Sat, 04 Dec 2021 03:28:45 +0000
Finished: Sat, 04 Dec 2021 03:28:45 +0000
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/opt/jfrog/nginx from nginx-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-lxfbq (ro)
Containers:
nginx:
Container ID: docker://d0e3c19cbd735066ae6fb69562dec162d361b5332bf452a9626234e02df7853e
Image: registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3
Image ID: docker-pullable://registry1.dso.mil/ironbank/opensource/nginx/nginx@sha256:d126f5b55151cafd08ec99f88165913964884dae33f10a69eebee982c983e575
Ports: 80/TCP, 443/TCP
Host Ports: 0/TCP, 0/TCP
Command:
nginx
-g
daemon off;
State: Running
Started: Sat, 04 Dec 2021 03:28:52 +0000
Ready: False
Restart Count: 0
Liveness: http-get http://:80/router/api/v1/system/health delay=0s timeout=5s period=10s #success=1 #failure=10
Readiness: http-get http://:80/router/api/v1/system/health delay=0s timeout=5s period=10s #success=1 #failure=10
Startup: http-get http://:80/router/api/v1/system/health delay=30s timeout=5s period=5s #success=1 #failure=90
Environment: <none>
Mounts:
/etc/nginx/nginx.conf from nginx-conf (rw,path="nginx.conf")
/var/opt/jfrog/nginx from nginx-volume (rw)
/var/opt/jfrog/nginx/conf.d/ from nginx-artifactory-conf (rw)
/var/opt/jfrog/nginx/ssl from ssl-certificates (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-lxfbq (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
nginx-conf:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: jfrog-jfrog-platform-artifactory-ha-nginx-conf
Optional: false
nginx-artifactory-conf:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: jfrog-jfrog-platform-artifactory-ha-nginx-artifactory-conf
Optional: false
nginx-volume:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
ssl-certificates:
Type: Secret (a volume populated by a Secret)
SecretName: jfrog-jfrog-platform-artifactory-ha-nginx-certificate
Optional: false
kube-api-access-lxfbq:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7m6s default-scheduler Successfully assigned jfrog/jfrog-jfrog-platform-nginx-ccf9cdc69-x8s9v to ip-10-0-10-133.us-gov-west-1.compute.internal
Normal Pulled 7m5s kubelet Container image "releases-docker.jfrog.io/alpine:3.14.0" already present on machine
Normal Created 7m5s kubelet Created container setup
Normal Started 7m5s kubelet Started container setup
Normal Pulling 7m5s kubelet Pulling image "registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3"
Normal Pulled 6m59s kubelet Successfully pulled image "registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3" in 5.745530839s
Normal Created 6m59s kubelet Created container nginx
Normal Started 6m58s kubelet Started container nginx
Warning Unhealthy 2m1s (x54 over 6m26s) kubelet Startup probe failed: Get "http://10.0.10.41:80/router/api/v1/system/health": dial tcp 10.0.10.41:80: connect: connection refused
sh-4.2$ kubectl get pods -n jfrog -o jsonpath="{.items[*].spec.containers[*].image}" |\
> tr -s '[[:space:]]' '\n' |\
> sort |\
> uniq -c
1 docker.io/bitnami/postgresql:13.2.0-debian-10-r55
3 registry1.dso.mil/ironbank/jfrog/artifactory/artifactory:7.21.7
1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/router:7.21.5
1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-analysis:3.30.2
1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-indexer:3.30.2
1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-persist:3.30.2
1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-rabbitmq:3.8.14-debian-10-r32
1 registry1.dso.mil/ironbank/jfrog/jfrog-xray/xray-server:3.30.2
1 registry1.dso.mil/ironbank/opensource/nginx/nginx:1.21.3Edited by Collin Chew