A Kubernetes mutation webhook that automatically redirects container image pulls through Amazon ECR's pull-through cache, optimizing performance and reducing costs.
This webhook intercepts pod creation requests in your Kubernetes cluster and automatically modifies container image references to use Amazon ECR's pull-through cache. This means:
- ⚡ Faster image pulls through local caching
- 💰 Reduced network egress costs
- 🔄 Seamless integration with existing deployments
-
ECR Pull-Through Cache Configuration You must manually configure pull-through cache for these registries:
ghcr.iodocker.ioregistry.k8s.ioquay.io
⚠️ Important: Use registry-matching names for your configurations as required by this webhook.Example configuration:
-
IAM Configuration Check the
aws-policiesfolder for:- Example lifecycle policies for Creation Templates
- ECR Registry policy examples
- Role configurations for EKS nodes
📚 For detailed ECR Pull-Through setup, see the AWS documentation.
Note: docker.io support is limited in Kyverno configuration
- Find policies for
quay.io,registry.k8s.io, andghcr.ioin thekyvernofolder - Update AWS account ID in policies
- Apply to your cluster
- Clone this repository
- Configure manifests/configmap.yaml
- Ensure your kubectl context points to the target cluster
- Run
./install.sh
🔑 Note: By default, the webhook only processes namespaces labeled with
pull-through-enabled: "true". Modify manifests/bundle.yaml to change this behavior.
Use the sample pod manifests in the tests folder to verify the webhook's operation.
Use ecr-cleanup.sh to remove pull-through generated repositories:
./ecr-cleanup.shContributions are welcome! Especially for improving Kyverno support for docker.io.
This project is open-source and available under the MIT License.