I need to push all images into a registry before deploying an application in airgap mode because my organization requires that all images be scanned first. I noticed that kots install performs both functions. How can I perform these steps separately?
kots admin-console push-images command can be used to push images from both kotadm and application airgap bundles. And the kots install command has the --disable-image-push flag.
Prerequisites:
- registry address
- registry username
- registry password
- KOTS Admin Console airgap bundle file
- Application airgap bundle file
Procedure:
- First, upload all the images into the registry with the
kots admin-console push-imagescommand
kubectl kots admin-console push-images ./kotsadm.tar.gz <registry-address> --registry-username <username> --registry-password <password>
kubectl kots admin-console push-images ./application.airgap <registry-address> --registry-username <username> --registry-password <password>
- then perform any necessary steps on the registry to scan/validate images
- finally, perform an installation using KOTS and use the
--disable-image-pushflag since our images are already present in the registry
kubectl kots install <application> \
--namespace <application> \
--shared-password <admin-console-password> \
--license-file ./license.yaml \
--config-values ./configvalues.yaml \
--airgap-bundle ./application.airgap \
--kotsadm-registry <registry-address> \
--kotsadm-namespace <application> \
--registry-username <registry-username> \
--registry-password <registry-password> \
--disable-image-push \
--no-port-forward
I’ll add as an aside here an answer to a related question
Do you have any recommendations for how customers can run image scanners (for security) on our images besides going through an airgapped flow?
In this case, you can always use the Registry tab to configure an intermediate image registry in which to store images, even if the installation is not airgapped. If you need to perform an initial scan before deploying, take the following steps:
- Proceed with the regular install until you get to the “Preflight Checks” screen.
- Once the Preflight checks have passed, do not click the “Deploy” button, instead click the app icon in the top left, this will take you to the main dashboard
- From there, go to the registry tab and configure a custom registry
- Clicking save on this page will trigger the following:
a. App Manager will download each image, re-tag it, and push it to the configured registry
b. App Manager will stage a new release for you to deploy in which all image manifests are rewritten to use the internal registry instead of a registry on the public internet - Review and deploy the newly staged release
For more information, see Image Registry for Air Gap Clusters and the docs on referencing images in operators