How to use images from a private container registry for Kubernetes: AWS ECR, Hosted Private Container Registry.
Some container registry providers in the industry give public and private access to the images in the registry repositories. For public access, as in Docker Hub, there is no issue which you have to tackle down in the Kubernetes(K8s) cluster. However, when it comes to private images, you have to define a way to access those images securely. In this article, the described methodology in the Kubernetes to access the private container registry will be explained.
Before continuing with the Kubernetes, make sure to apply the Client Machine Settings to Use the Registry
to all worker nodes of K8s defined at the Creating a Private Container Registry: Repository and Web Service.
The Structure of the Deployment Object
Kubernetes Deployment, and the Pod object, has a special tag/field, imagePullSecret
, to interact with private repositories. With this tag, you can reference the object's name that holds the required credentials information to interact with the private registry. A sample Deployment
file with settings is shown below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
labels:
app: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
imagePullSecrets:
- name: secret-registry
containers:
- name: my-app
image: ip-172-31-82-125.ec2.internal:5000/nginx
#image: 046402772087.dkr.ecr.us-east-1.amazonaws.com/my-nginx:latest
imagePullPolicy: Always
ports:
- containerPort: 80
The private registry access information is stored in Secret
file, this file referenced in Deployment
file with imagePullSecret
field. The name
is the file that contains the secret information to access the private registry.
The Structure of Secret Object
The Kubernetes Secret
object has a special type of kind for private registries as;
type: kubernetes.io/dockercfg
type: kubernetes.io/dockerconfigjson
Let’s remember the structure of Secret
object:
apiVersion: v1
kind: Secret
metadata:
name: secret-registry
type: kubernetes.io/dockercfg
data:
.dockercfg: |
"<base64 encoded ~/.docker/config.json-file>"
or
apiVersion: v1
kind: Secret
metadata:
name: secret-registry
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
"<base64 encoded ~/.docker/config.json-file>"
As long as we have defined this secret file and referenced it in the Deployment
or Pod
definition file, the access to the private registry should run smoothly.
Now let’s discuss the ways to create the Secret
file.
Create Secret Object from login Command
When we login into the container registry, the credentials are saved in the ~/.docker/config.json
file. We can get the required information from this file and can place it inside the Secret
file data
portion.
For AWS ECR;
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <your-id>.dkr.ecr.us-east-1.amazonaws.com
For hosted private container registry;
docker login -u username -p password https://private-registry
Firstly, after logging in to the container registry, create secret data from the stored data as follows;
cat ~/.docker/config.json | base64
You can now copy the output as secret data and place it in the file's data portion. Next, give it a try in the K8s cluster.
Create Secret Object with kubectl Command
It is also possible to create the Secret
object with the help of kubectl
command. They are listed as follows.
Secondly, you can also create the Secret
object from ~/.docker/config.json
directly as follows;
kubectl create secret generic secret-registry \
--from-file=.dockerconfigjson=~/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
Thirdly, you can also create the Secret
object by entering the credentials as follows;
kubectl create secret docker-registry secret-registry \
--docker-server=https://private-registry \
--docker-username=user-name \
--docker-password=password
Note that when it comes to AWS ECR, the command aws ecr get-login-password --region us-east-1
gives the password
and user-name
is AWS
.
ECR link is like this;--docker-server=https://<your-id>.dkr.ecr.<region>.amazonaws.com
The secret-registry
is the name of the Secret
object to reference inside the Deployment
or Pod
file.
Finally, you can test the configuration by applying the Deployment
and Secret
files accordingly.