Docker Hub rate limits and registry outages shouldn't break your deployments. This flow intercepts deployments at the K8s API level and rewrites container image references to your local registry before pods are created. No patching after the fact, no double rollouts, no GitOps drift.
If you've used Kyverno's admission policies to rewrite images with YAML rules, this is the same idea — but visual and without the policy YAML. Configure your local registry, pick which namespaces to cover, click Start.
How it works
1. Ticker fires with your config.
2. Cert Generate creates a self-signed TLS cert for the in-cluster HTTPS server. No manual openssl, no cert-manager dependency.
3. Webhook Register creates a MutatingWebhookConfiguration in K8s, pointing at the HTTPS server with the generated CA bundle.
4. HTTPS Server starts and listens for admission requests.
5. On every deployment CREATE/UPDATE, K8s sends the spec to the server. A JS policy rewrites image references (docker.io, ghcr.io, quay.io, gcr.io) to your local registry and returns a JSON
patch.
The webhook runs with failurePolicy: Ignore. If the flow is down, deployments go through with original images. Your cluster never locks up because of the webhook.
Setup
1. Install this solution.
2. You need a local OCI registry accessible from the cluster. We use zot with the sync extension for pull-through caching — first pull fetches from upstream, everything after that is local.
See the blog post for the full zot values.yaml.
3. Open the Ticker settings. Set your local registry address, namespace filter (empty for all), which registries to rewrite, and which namespaces to skip (kube-system etc.).
4. Start the Ticker. The cert is generated, webhook is registered, HTTPS server starts. Done.
What you can configure
- Local registry address
- Namespace filter (empty = all namespaces)
- Registries to rewrite (comma-separated: docker.io, ghcr.io, quay.io, gcr.io)
- Namespaces to skip (comma-separated: kube-system, kube-public, etc.)
- Webhook name
Compared to the reactive Image Mirror
The Image Mirror solution scans every 5 minutes, copies images, and patches deployments. It works but deployments roll out twice and Flux can revert the patches. This webhook approach rewrites
at the API level — one rollout, git stays clean. Use Image Mirror as a one-time migration for existing deployments, then switch to this for everything going forward.