How to use images from a private container registry for Kubernetes: AWS ECR, Hosted Private Container Registry.
Some container registry providers in the industry give public and private access to the images in the registry repositories. For public access, as in Docker Hub, there is no issue which you have to tackle down in the Kubernetes(K8s) cluster. However, when it comes to private images, you have to define a way to access those images securely. In this article, the described methodology in the Kubernetes to access the private container registry will be explained.
Before continuing with the Kubernetes, make sure to apply the Client Machine Settings to Use the Registry to all worker nodes of K8s defined at the Creating a Private Container Registry: Repository and Web Service.
The Structure of the Deployment Object
Kubernetes Deployment, and the Pod object, has a special tag/field, imagePullSecret, to interact with private repositories. With this tag, you can reference the object's name that holds the required credentials information to interact with the private registry. A sample Deployment file with settings is shown below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
labels:
app: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
imagePullSecrets:
- name: secret-registry
containers:
- name: my-app
image: ip-172-31-82-125.ec2.internal:5000/nginx
#image: 046402772087.dkr.ecr.us-east-1.amazonaws.com/my-nginx:latest
imagePullPolicy: Always
ports:
- containerPort: 80The private registry access information is stored in Secret file, this file referenced in Deployment file with imagePullSecret field. The name is the file that contains the secret information to access the private registry.
The Structure of Secret Object
The Kubernetes Secret object has a special type of kind for private registries as;
type: kubernetes.io/dockercfg
type: kubernetes.io/dockerconfigjsonLet’s remember the structure of Secret object:
apiVersion: v1
kind: Secret
metadata:
name: secret-registry
type: kubernetes.io/dockercfg
data:
.dockercfg: |
"<base64 encoded ~/.docker/config.json-file>"or
apiVersion: v1
kind: Secret
metadata:
name: secret-registry
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
"<base64 encoded ~/.docker/config.json-file>"As long as we have defined this secret file and referenced it in the Deployment or Pod definition file, the access to the private registry should run smoothly.
Now let’s discuss the ways to create the Secret file.
Create Secret Object from login Command
When we login into the container registry, the credentials are saved in the ~/.docker/config.json file. We can get the required information from this file and can place it inside the Secret file data portion.
For AWS ECR;
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <your-id>.dkr.ecr.us-east-1.amazonaws.comFor hosted private container registry;
docker login -u username -p password https://private-registryFirstly, after logging in to the container registry, create secret data from the stored data as follows;
cat ~/.docker/config.json | base64You can now copy the output as secret data and place it in the file's data portion. Next, give it a try in the K8s cluster.
Create Secret Object with kubectl Command
It is also possible to create the Secret object with the help of kubectl command. They are listed as follows.
Secondly, you can also create the Secret object from ~/.docker/config.json directly as follows;
kubectl create secret generic secret-registry \
--from-file=.dockerconfigjson=~/.docker/config.json \
--type=kubernetes.io/dockerconfigjsonThirdly, you can also create the Secret object by entering the credentials as follows;
kubectl create secret docker-registry secret-registry \
--docker-server=https://private-registry \
--docker-username=user-name \
--docker-password=passwordNote that when it comes to AWS ECR, the command aws ecr get-login-password --region us-east-1 gives the password and user-name is AWS.
ECR link is like this;--docker-server=https://<your-id>.dkr.ecr.<region>.amazonaws.com
The secret-registry is the name of the Secret object to reference inside the Deployment or Pod file.
Finally, you can test the configuration by applying the Deployment and Secret files accordingly.
