I wonder if you can build this into your container runtime config instead. Automatically rewriting is nice but you will still see the rewritten image when reading from the API server.
I’ve developed a Kubernetes mutating admission webhook that intercepts Pod creation and update requests to automatically rewrite container image references based on configurable rules. This facilitates redirecting images from public registries (like Docker Hub, GCR, Quay.io) to internal mirrors or caches, enhancing reliability and security.
How would this interact with IaC systems like ArgoCD - I imagine conflicts would be detected and ArgoCD would try to autosync to restore the cluster state to match the repo.
Of course, being able to deploy this inside of Kubernetes itself is a huge boon.
It was a mistake to make the image registry and its configuration hosted outside the cluster. It makes no sense. You should be able to configure containerd registries effortlessly from inside the cluster.
Webhooks like yours will still be needed for a while (or programmable frameworks like Kyverno).
I guess if you don't control the platform you are running on this is a way to do it in "userspace"
It was a mistake to make the image registry and its configuration hosted outside the cluster. It makes no sense. You should be able to configure containerd registries effortlessly from inside the cluster.