How does Kubernetes cluster pull the container image using the password-free component
Prerequisite
• You need to create a registered cluster and connect the self-built Kubernetes cluster to the registered cluster. For details, see Creating an AliCloud registration cluster and accessing the self-built Kubernetes cluster.
Be careful
• Configuring the pull credential (imagePullSecret) in the Kubernetes resource (such as stateless application deployment) template will cause the password-free component to fail. If you need to use the password-free component, please avoid manually configuring the pull credential (imagePullSecret).
• If the deployed Kubernetes resource (such as stateless application deployment) uses a customized ServiceAccount, you need to adjust the Service-Account field in the password-free component configuration file to make it act on the customized ServiceAccount before deploying the resource.
• After creating a new service account in the cluster for a period of time, the ACL private image pull token generated by the password-free plug-in according to the default permissions of the ACK cluster will be updated to the service account used by the application, and the application using the service account will use the token to pull the image. If the application is created immediately after the service account is created, it will be unable to pull due to authentication failure.
• By default, the password-free plug-in overrides the imagePullSecret field in the default ServiceAccount in all namespaces in the ACK. The overridden ServiceAccount will change with the change of the service-account field in the acr-configuration configuration item in the corresponding kube-system namespace.
• When modifying the acr-configuration configuration item in the kube-system namespace, please confirm whether the indentation is the same as the given scenario example. It is recommended to directly copy the YAML content of the corresponding scene into the editor, modify the corresponding value, and then directly apply it to the cluster to ensure the correctness of the YAML format.
background information
The image and cluster restrictions involved in using the password-free component are as follows:
• Mirroring
• Supports pulling private images from the Enterprise and Personal instances of the container image service.
• It supports pulling the private image in the current user container image service of the cluster. The private image of other users can be pulled through cross-account authorization or AccessKey ID and AccessKey Secret configuration.
• Support cross-region pull of private images in the container image service.
• Clustering
• Support cluster multiple namespaces without secret pull.
• Supported cluster types:
• Exclusive Kubernetes cluster.
• Managed Kubernetes cluster.
• Register cluster
• Supported cluster versions:
• Self-built Kubernetes cluster: versions higher than or equal to 1.11.2 support mile-free pull images by default.
Step 1: Configure the RAM permissions of the secret free components in the self-built cluster
Before installing components in the registration cluster, you need to set the permissions of AK to access cloud services in the access cluster. Before setting AK, you need to create RAM users and add permissions to access relevant cloud resources.
1. Create RAM user. For specific steps on how to create RAM users, see Creating RAM Users.
2. Create a permission policy. For specific steps to create a permission policy, see Creating a Custom Policy. Please authorize RAM permissions as shown below.
3. Add permissions for RAM users. For specific steps on how to authorize RAM users, see Authorizing RAM Users.
4. Create AK for RAM users. For how to create an AK for a sub-account, see Getting AccessKey.
5. Use AK to create a secret resource named alibaba-addon-secret in the self-built Kubernetes cluster. In step 2, when installing the relevant components of the event center, this AK will be automatically referenced to access the corresponding cloud service resources.
You need to replace the above code and with the AK information you obtained.
Step 2: Upgrade and configure components
Before using the password-free component to pull the image, you may need to upgrade the component and configure the component. The operation steps are as follows.
1. Upgrade the aliyun-acr-credential-helper component.
A. Log in to the container service management console.
B. In the left navigation bar of the console, click Cluster.
C. On the cluster list page, click More>System Component Management under the target cluster operation column.
D. In the security area, find aliyun-acr-credential-helper, and click Upgrade.
2. Set the acr-configuration configuration item. Set acr-configuration configuration items through console mode.
A. Log in to the container service management console.
B. In the left navigation bar of the console, click Cluster.
C. On the cluster list page, click the details under the target cluster.
D. On the left navigation bar of the cluster information page, select Configuration Management>Configuration Item.
E. In the namespace drop-down box at the top of the configuration item page, select kube-system, then find the configuration item acr-configuration, and then configure acr-configuration in the following two ways.
• Method 1: click Edit on the right to set the configuration key and value. If you do not have an acr-configuration configuration item, see Create a configuration item. For how to update a configuration item, see Modifying a Configuration Item.
• Method 2: click YAML Edit on the right side to set the configuration key and value.
F. The keys and values of the acr-configuration configuration item are described below.
1. Set the acr-configuration configuration item through the kubectl command line.
A. Execute the following command to open the edit page of acr-configuration configuration item.
kubectl edit cm acr-configuration -n kube-system
A. Set the value of acr-configuration configuration item according to the actual situation. An example of setting the acr-configuration configuration item under the Enterprise and Default container image instances is as follows.
• Enterprise Edition
Scenario 1: Pull private images of personal and enterprise instances
ACK supports pulling the private image of both the enterprise version and the personal version t the same time, only the private image of the enterprise version and only the private image of the personal version. According to your usage scenario, modify the configMap in the configuration item acr-configuration in the following way. Please refer to the above configuration components for configuration steps. The following are the configuration contents:
• Configure and pull the private image of the enterprise version.
• Configure and pull the private image of the personal version.
• Configure to pull the private image of the personal version and the enterprise version at the same time.
Scenario 2: Configure cross-region pull image permissions
If the image to be pulled does not belong to the same region as the current ACK cluster, you need to modify the configMap in the configuration item acr-configuration.
For example, the default warehouse pulls the image of Beijing and Hangzhou regions at the same time. The configuration is as follows. Please refer to the above configuration components for configuration steps.
• You need to create a registered cluster and connect the self-built Kubernetes cluster to the registered cluster. For details, see Creating an AliCloud registration cluster and accessing the self-built Kubernetes cluster.
Be careful
• Configuring the pull credential (imagePullSecret) in the Kubernetes resource (such as stateless application deployment) template will cause the password-free component to fail. If you need to use the password-free component, please avoid manually configuring the pull credential (imagePullSecret).
• If the deployed Kubernetes resource (such as stateless application deployment) uses a customized ServiceAccount, you need to adjust the Service-Account field in the password-free component configuration file to make it act on the customized ServiceAccount before deploying the resource.
• After creating a new service account in the cluster for a period of time, the ACL private image pull token generated by the password-free plug-in according to the default permissions of the ACK cluster will be updated to the service account used by the application, and the application using the service account will use the token to pull the image. If the application is created immediately after the service account is created, it will be unable to pull due to authentication failure.
• By default, the password-free plug-in overrides the imagePullSecret field in the default ServiceAccount in all namespaces in the ACK. The overridden ServiceAccount will change with the change of the service-account field in the acr-configuration configuration item in the corresponding kube-system namespace.
• When modifying the acr-configuration configuration item in the kube-system namespace, please confirm whether the indentation is the same as the given scenario example. It is recommended to directly copy the YAML content of the corresponding scene into the editor, modify the corresponding value, and then directly apply it to the cluster to ensure the correctness of the YAML format.
background information
The image and cluster restrictions involved in using the password-free component are as follows:
• Mirroring
• Supports pulling private images from the Enterprise and Personal instances of the container image service.
• It supports pulling the private image in the current user container image service of the cluster. The private image of other users can be pulled through cross-account authorization or AccessKey ID and AccessKey Secret configuration.
• Support cross-region pull of private images in the container image service.
• Clustering
• Support cluster multiple namespaces without secret pull.
• Supported cluster types:
• Exclusive Kubernetes cluster.
• Managed Kubernetes cluster.
• Register cluster
• Supported cluster versions:
• Self-built Kubernetes cluster: versions higher than or equal to 1.11.2 support mile-free pull images by default.
Step 1: Configure the RAM permissions of the secret free components in the self-built cluster
Before installing components in the registration cluster, you need to set the permissions of AK to access cloud services in the access cluster. Before setting AK, you need to create RAM users and add permissions to access relevant cloud resources.
1. Create RAM user. For specific steps on how to create RAM users, see Creating RAM Users.
2. Create a permission policy. For specific steps to create a permission policy, see Creating a Custom Policy. Please authorize RAM permissions as shown below.
3. Add permissions for RAM users. For specific steps on how to authorize RAM users, see Authorizing RAM Users.
4. Create AK for RAM users. For how to create an AK for a sub-account, see Getting AccessKey.
5. Use AK to create a secret resource named alibaba-addon-secret in the self-built Kubernetes cluster. In step 2, when installing the relevant components of the event center, this AK will be automatically referenced to access the corresponding cloud service resources.
You need to replace the above code and with the AK information you obtained.
Step 2: Upgrade and configure components
Before using the password-free component to pull the image, you may need to upgrade the component and configure the component. The operation steps are as follows.
1. Upgrade the aliyun-acr-credential-helper component.
A. Log in to the container service management console.
B. In the left navigation bar of the console, click Cluster.
C. On the cluster list page, click More>System Component Management under the target cluster operation column.
D. In the security area, find aliyun-acr-credential-helper, and click Upgrade.
2. Set the acr-configuration configuration item. Set acr-configuration configuration items through console mode.
A. Log in to the container service management console.
B. In the left navigation bar of the console, click Cluster.
C. On the cluster list page, click the details under the target cluster.
D. On the left navigation bar of the cluster information page, select Configuration Management>Configuration Item.
E. In the namespace drop-down box at the top of the configuration item page, select kube-system, then find the configuration item acr-configuration, and then configure acr-configuration in the following two ways.
• Method 1: click Edit on the right to set the configuration key and value. If you do not have an acr-configuration configuration item, see Create a configuration item. For how to update a configuration item, see Modifying a Configuration Item.
• Method 2: click YAML Edit on the right side to set the configuration key and value.
F. The keys and values of the acr-configuration configuration item are described below.
1. Set the acr-configuration configuration item through the kubectl command line.
A. Execute the following command to open the edit page of acr-configuration configuration item.
kubectl edit cm acr-configuration -n kube-system
A. Set the value of acr-configuration configuration item according to the actual situation. An example of setting the acr-configuration configuration item under the Enterprise and Default container image instances is as follows.
• Enterprise Edition
Scenario 1: Pull private images of personal and enterprise instances
ACK supports pulling the private image of both the enterprise version and the personal version t the same time, only the private image of the enterprise version and only the private image of the personal version. According to your usage scenario, modify the configMap in the configuration item acr-configuration in the following way. Please refer to the above configuration components for configuration steps. The following are the configuration contents:
• Configure and pull the private image of the enterprise version.
• Configure and pull the private image of the personal version.
• Configure to pull the private image of the personal version and the enterprise version at the same time.
Scenario 2: Configure cross-region pull image permissions
If the image to be pulled does not belong to the same region as the current ACK cluster, you need to modify the configMap in the configuration item acr-configuration.
For example, the default warehouse pulls the image of Beijing and Hangzhou regions at the same time. The configuration is as follows. Please refer to the above configuration components for configuration steps.
Related Articles
-
A detailed explanation of Hadoop core architecture HDFS
Knowledge Base Team
-
What Does IOT Mean
Knowledge Base Team
-
6 Optional Technologies for Data Storage
Knowledge Base Team
-
What Is Blockchain Technology
Knowledge Base Team
Explore More Special Offers
-
Short Message Service(SMS) & Mail Service
50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00
