Installed Jenkins on the EKS. I have configured Jenkins pipeline which is creating Jenkins agent as a temporary kubernetes pod using Jenkins-global library.
The podTemplate is defined in Jenkins.groovy file with YAML template. That YAML template is -
pipeline {
agent {
kubernetes {
yaml '''
apiVersion: v1
kind: Pod
metadata:
labels:
name: label-value
spec:
imagePullSecrets:
- name: image-pull-secret-name
containers:
- name: test-build
image: my-allowed-registry/docker/build-tools:1.0
command:
- cat
tty: true
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker-sock
- mountPath: /root/.m2/repository
name: maven-cache
volumes:
- name: docker-sock
hostPath:
path: /var/run/docker.sock
- name: maven-cache
hostPath:
path: /maven-cache
type: DirectoryOrCreate
'''
}
}
Here, in the EKS cluster I have applied one kyverno policy to restrict public image registry -
This policy is getting violated and not letting agent pod created even after I am pulling the docker image from my private registry (that I have defined with the .groovy file).
I am unable to figure it out that which image is coming from public registry and where.
Error -
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://ip-address:443/api/v1/namespaces/jenkins/pods. Message: admission webhook "validate.kyverno.svc-fail" denied the request:
policy Pod/jenkins/repoName-branch-name-2btff-18-47-xx-xxx-xxxx for resource violation:
check-valid-docker-registry:
validate-registries: 'validation error: Unknown image registry. rule validate-registries
failed at path /spec/containers/1/image/'
. Received status: Status(apiVersion=v1, code=400, details=null, kind=Status, message=admission webhook "validate.kyverno.svc-fail" denied the request:
policy Pod/jenkins/repoName-branch-name-2btff-18-47-xx-xxx-xxxx for resource violation:
check-valid-docker-registry:
validate-registries: 'validation error: Unknown image registry. rule validate-registries
failed at path /spec/containers/1/image/'
, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=null, status=Failure, additionalProperties={}).
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:728)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.requestFailure(OperationSupport.java:708)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.assertResponseCode(OperationSupport.java:659)
at io.fabric8.kubernetes.client.dsl.internal.OperationSupport.lambda$handleResponse$0(OperationSupport.java:587)
at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2073)Can someone help me to understand what I am missing here?