Automate migration of Docker images from public to private registries
Privateer is a powerful CLI tool that scans Kubernetes clusters and GitHub repositories to identify public Docker images and automatically migrates them to private registries, ensuring enhanced security and control over your infrastructure.
As security and compliance concerns grow, organizations need to migrate their Docker images from public registries (DockerHub, ECR Public, etc.) to private registries. Privateer automates this complex process with enterprise-grade reliability.
- β Kubernetes cluster scanning (Deployments, StatefulSets, DaemonSets, Jobs, CronJobs)
- β Automatic public/private image detection with smart algorithms
- β Init containers and multi-container pods support
- β Custom registry classification rules
- β Namespace filtering and context switching
- β Automated Pull/Tag/Push workflow to private registries
- β Multiple registry support with priority-based selection
- β Concurrent processing (configurable 1-10 threads)
- β Dry-run mode for safe testing and validation
- β Health checks and authentication validation
- β Duplicate detection and anti-collision system
- β Docker Registry (registry:2) - Production ready
- β Harbor (self-hosted) - Production ready
- β AWS ECR (Elastic Container Registry) - Production ready
- π§ GitHub Container Registry - Coming in v0.3.0
- π§ Azure Container Registry - Coming in v0.3.0
- π§ Google Container Registry - Coming in v0.3.0
- β Priority-based registry selection (0-100 scale)
- β Multiple registries mode vs single registry mode
- β AWS ECR authentication (3 methods: credentials, profiles, IAM)
- β SSL/TLS support with insecure mode option
- β Custom detection rules for public/private classification
- β HTML reports with visual charts and statistics
- β Discord webhook integration for real-time notifications
- β Detailed migration logs with structured JSON output
- β Success/failure metrics and performance analytics
Linux/macOS:
curl -sSL https://raw.githubusercontent.com/kevinfinalboss/privateer/main/scripts/install.sh | bashWindows (PowerShell):
irm https://raw.githubusercontent.com/kevinfinalboss/privateer/main/scripts/install.ps1 | iexGo Install:
go install github.com/kevinfinalboss/privateer/cmd/privateer@latestManual Download: Download binaries from GitHub Releases
privateer initEdit ~/.privateer/config.yaml:
registries:
# Docker Registry with highest priority
- name: "docker-local"
type: "docker"
enabled: true
priority: 10 # Highest priority (0-100)
url: "registry.company.com"
username: "admin"
password: "secure-password"
insecure: false
# AWS ECR with medium priority
- name: "ecr-prod"
type: "ecr"
enabled: true
priority: 5
region: "us-east-1"
account_id: "123456789012"
# Uses default AWS credentials
settings:
multiple_registries: false # true = all enabled registries
# false = highest priority only
concurrency: 3
webhooks:
discord:
enabled: true
url: "https://discord.com/api/webhooks/..."# Basic scan
privateer scan cluster
# Dry-run simulation
privateer scan cluster --dry-run
# Different language
privateer scan cluster --language=en-US# Simulate migration (generates HTML report)
privateer migrate cluster --dry-run
# Execute migration (generates HTML report + Discord notifications)
privateer migrate clusterregistries:
- name: "primary-registry"
priority: 10 # Highest priority
enabled: true
- name: "backup-registry"
priority: 5 # Medium priority
enabled: true
- name: "archive-registry"
priority: 1 # Lowest priority
enabled: false # DisabledBehavior:
multiple_registries: falseβ Only highest priority registry receives imagesmultiple_registries: trueβ All enabled registries receive images
Method 1: Direct Credentials
- name: "ecr-direct"
type: "ecr"
region: "us-east-1"
access_key: "AKIAIOSFODNN7EXAMPLE"
secret_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"Method 2: AWS Profiles
- name: "ecr-profiles"
type: "ecr"
region: "us-east-1"
account_id: "123456789012" # Required for profile filtering
profiles:
- "production"
- "default"Method 3: Default Credentials (Recommended)
- name: "ecr-default"
type: "ecr"
region: "us-east-1"
# Uses IAM roles, environment variables, or ~/.aws/credentialsPrivateer automatically generates professional HTML reports for every migration:
~/.privateer/reports/
βββ privateer-dryrun-2025-01-24_15-30-45.html # Simulation reports
βββ privateer-report-2025-01-24_16-45-12.html # Production reports
βββ privateer-dryrun-2025-01-24_17-20-33.html # Historical reports
- π Executive dashboard with key metrics and success rates
- π― Registry-specific statistics with priority information
- π Detailed migration list with source/target mappings
- βοΈ Configuration summary showing enabled registries
- π΄ββ οΈ Professional design optimized for sharing and archival
privateer/
βββ cmd/privateer/ # Application entry point
βββ internal/
β βββ cli/ # CLI commands (Cobra)
β βββ config/ # Configuration management
β βββ kubernetes/ # K8s client and scanner
β βββ logger/ # Structured logging with i18n
β βββ registry/ # Registry implementations
β βββ migration/ # Migration engine
β βββ reporter/ # HTML report generation
β βββ webhook/ # Discord notifications
βββ pkg/types/ # Shared type definitions
βββ locales/ # Translation files
βββ scripts/ # Installation and build scripts
# Configuration for enterprise with multiple registries
registries:
- name: "production-ecr"
type: "ecr"
enabled: true
priority: 10
region: "us-east-1"
- name: "backup-harbor"
type: "harbor"
enabled: true
priority: 5
url: "harbor.company.com"
project: "backup"
# Execute with notifications
privateer migrate clusterResult:
- Single mode: Only production-ecr receives images (priority 10 > 5)
- Multiple mode: Both registries receive identical copies
- Reports: HTML report saved to
~/.privateer/reports/ - Notifications: Discord alerts with migration status
# Generate compliance report
privateer migrate cluster --dry-run --log-level debug
# View detailed HTML report
open ~/.privateer/reports/privateer-dryrun-*.html- AWS ECR integration with 3 authentication methods
- Priority-based registry selection system
- Multiple registries support with intelligent routing
- HTML reporting with visual charts and statistics
- Discord webhook integration for real-time notifications
- Advanced duplicate detection and anti-collision system
- GitHub Container Registry support
- Azure Container Registry integration
- GitHub repository scanning for Dockerfiles
- Automated Pull Request generation with updated images
- ArgoCD/Flux integration for GitOps workflows
- Web dashboard with real-time monitoring
- Prometheus metrics and alerting
- RBAC and multi-tenancy support
- Compliance reporting and audit trails
- Advanced scheduling and batch processing
- Go 1.24+
- Kubernetes cluster (for testing)
- Docker (for local registry testing)
# Clone repository
git clone https://github.com/kevinfinalboss/privateer.git
cd privateer
# Install dependencies
go mod download
# Development build
make dev
# Run tests
make test
# Local execution
make run ARGS="scan cluster --dry-run"# Multi-platform release
make release
# Clean build artifacts
make clean
# Code quality checks
make lintWe welcome contributions from the community!
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Implement the
Registryinterface ininternal/registry/ - Add support in
NewEngine()inmanager.go - Update configuration examples and documentation
- Add comprehensive tests
~/.privateer/
βββ config.yaml # <1KB - Configuration
βββ reports/ # ~100KB per report
βββ *.html # Self-contained HTML files
This project is licensed under the MIT License - see the LICENSE file for details.
- π§ Email: kevinmg50@gmail.com
- π Issues: GitHub Issues
- π¬ Discussions: GitHub Discussions
- π Documentation: docs/
- Cobra - Powerful CLI framework
- Zerolog - High-performance structured logging
- Kubernetes Client - Official Kubernetes API client
- AWS SDK - AWS integration
β Star on GitHub β’ π Documentation β’ π Changelog
Built with β€οΈ for the DevOps and Platform Engineering community
