Yes, imagePullSecrets on Pod and ServiceAccount level in the hooked pod definition are supported.
It is also possible to provide a list of ECRs to which authentication is handled by k8s-image-swapper using the same credentials as for the target registry. Please see Configuration > Source - AWS.
Not yet, they require a pod rotation.
Please see Configuration > ImageCopyPolicy.
If the source image registry is not reachable it will replace the reference with the target registry reference. If the target registry is down it will do the same. It has no notion of the target registry being up or down.
Kubernetes will continue to work as if k8s-image-swapper was not installed.
The webhook failure policy
is set to Ignore.
!!! tip
Environments with strict compliance requirements (or air-gapped) may overwrite this with Fail to
avoid falling back to the public images.
A Kubernetes cluster can have multiple mutating webhooks.
Mutating webhooks execute sequentiatlly and each can change a submitted object.
Changes may be applied after k8s-image-swapper was executed, e.g. Istio injecting a sidecar.
... -> k8s-image-swapper -> Istio sidecar injection --> ...
Kubernetes 1.15+ allows to re-run webhooks if a mutating webhook modifies an object. The behaviour is controlled by the Reinvocation policy.
reinvocationPolicy may be set to
NeverorIfNeeded. It defaults to Never.
Never: the webhook must not be called more than once in a single admission evaluationIfNeeded: the webhook may be called again as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call.
The reinvocation policy can be set in the helm chart as follows:
!!! example "Helm Chart"
yaml webhook: reinvocationPolicy: IfNeeded