Kubernetes - Root

Kubernetes clusters pull images via containerd (or Docker) and require credentials to access cr.root.io. This guide covers both the credential configuration and optional policy enforcement to ensure all images come from Root.

Prerequisites

[kubectl access, Root registry credentials, cluster admin rights for mirror configuration coming soon]

ImagePullSecrets

[Creating the registry Secret, referencing it in Pod specs and ServiceAccounts, cluster-wide default coming soon]

containerd Registry Mirror

[Configuring /etc/containerd/config.toml to mirror cr.root.io - node-level and via DaemonSet coming soon]

Helm Chart Configuration

[image.registry override patterns, global registry settings in Helm charts coming soon]

Admission Control

[Using OPA Gatekeeper or Kyverno to enforce that all images are pulled from cr.root.io coming soon]

Validating Webhook

[Root’s optional admission webhook for policy enforcement and SBOM attestation verification coming soon]

⌘I

​Prerequisites

​ImagePullSecrets

​containerd Registry Mirror

​Helm Chart Configuration

​Admission Control

​Validating Webhook