Migrating from Bitnami to Bitnami Legacy with Kyverno
You may have recently heard about Bitnami’s move to Secure Images for Production-Ready containerized Applications.
Bitnami has transitioned to providing Secure Images for containerized applications, which are no longer free. If you’re encountering ImagePullBackOff errors in your Kubernetes cluster, it’s likely due to this change.
In short, Bitnami container images now require a subscription. However, they’ve provided a temporary solution by allowing access to older images through the docker.io/bitnamilegacy registry.
Note: This is a stopgap measure. The long-term goal is to move away from Bitnami entirely. Projects like CloudPirates are already working on providing alternative images and charts.
Kyverno Policy Example
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: patch-bitnami-to-bitnamilegacy
spec:
admission: true
background: false
validationFailureAction: Audit
rules:
- name: patch
match:
any:
- resources:
kinds:
- Pod
operations:
- CREATE
mutate:
foreach:
- list: request.object.spec.containers
patchStrategicMerge:
spec:
containers:
- image: >-
".registry }}/bitnamilegacy/".path | split(@,'/')[1] }}:".tag }}
name: ""
preconditions:
all:
- value: True
operator: Equals
key: '".path | contains(@,''bitnami/'') }}'
- key: '".registry }}'
operator: Equals
value: docker.io
- list: request.object.spec.initContainers || []
patchStrategicMerge:
spec:
containers:
- image: >-
".registry }}/bitnamilegacy/".path | split(@,'/')[1] }}:".tag }}
name: ""
preconditions:
all:
- value: True
operator: Equals
key: '".path | contains(@,''bitnami/'') }}'
- key: '".registry }}'
operator: Equals
value: docker.io
skipBackgroundRequests: true
See also on playground.kyverno.io.
This example policy replaces the docker.io/bitnami image references of a Pod to docker.io/bitnamilegacy registry.