
The purpose of this controller is to secure images (Deployment, DeamonSet) to a backup registry.

The controller watches images of Deployments and DeamonSets, copies images to a backup registry and reconfigures object's to use them.


Build and push docker image:

make docker-build docker-push IMG=<image_name>

Change image name (docker-configuration):


apiVersion: apps/v1
kind: Deployment
        - name: manager
            image: <image_name>
            imagePullPolicy: Always

Change docker credentials in the k8s secret (docker-configuration):


apiVersion: v1
kind: Secret
  name: docker-configuration
  namespace: backup-image-registry
  config.json: |
      "auths": {
        "https://index.docker.io/v1/": {
          "username": "<username>",
          "password": "<password>"

Change configuration of controller:


apiVersion: v1
kind: ConfigMap
  name: k8s-backup-image-registry-controller-configuration
  namespace: backup-image-registry
  NAMESPACES_EXCLUDE_LIST: "kube-system<,namespace1,...>"
  REGISTRY_PREFIX: "<registry.domain/username>"

Create a controller deployment instance and the namespace (backup-image-registry):

kubectl apply -f ./config/default/

Alternative implementation

By using the admission webhooks. So far kubebuilder doesn't help much, probably it make sense to have a look later.


  • check if a new image version is reuploaded
  • check admission webhooks
  • fix leader election
  • set correct service account
  • do not upload image if already exists
  • if error on update - return original image
  • configurable timeout
  • to be able use custom namespace
  • more convinient image's name parser
  • use Golang's generics
  • "kustomization" k8s manifests