Pull images from an ACR Enterprise Edition instance within the same account by using the secret-free component - Container Registry

The secret-free component automates the authentication process for pulling container images. This eliminates the need to repeatedly configure imagePullSecrets. This topic describes how to install, configure, and use the secret-free component, and highlights important considerations.

How it works

When you use ACR as the image source without enabling public anonymous pulling, the ACK cluster must provide a username and password for authentication each time it pulls an image. A common solution is to store the username and password in a Secret. However, this method has the following drawbacks:

Secrets are Base64-encoded plaintext and pose a security risk if leaked.
You must manually add imagePullSecrets to each workload.
Secrets cannot be used across namespaces.

The secret-free component works as follows:

The secret-free component obtains a temporary username and password from the ACR instance.
The component saves the temporary username and password to a Secret.
The component associates the Secret with the service accounts specified in the component's configuration.
Workloads that use these service accounts pull images by default using the temporary username and password saved in the Secret.

The secret-free component can manage service accounts in multiple namespaces at the same time. It regularly updates the temporary username and password based on the configuration. This reduces the risk of leaks and removes the need to manually add imagePullSecrets to workloads. The secret-free component is free of charge.

Comparison of secret-free components

ACK provides the aliyun-acr-credential-helper component. This component is available in a managed edition and a self-managed edition. You can install only one edition at a time. The following table compares the two editions.

Item	aliyun-acr-credential-helper (managed)	aliyun-acr-credential-helper (self-managed)
Supported cluster versions	ACK managed clusters, ACK Serverless clusters, and ACK Edge clusters that run Kubernetes 1.22 or later	ACK managed clusters and ACK dedicated clusters that run Kubernetes 1.20 or later
Features	No self-management required Supports pulling images across accounts using RRSA	Supports querying component logs Supports pulling images across accounts using a worker RAM role, RRSA, or an AccessKey pair Supports the feature to use service accounts immediately after creation

To upgrade a cluster, see Manually upgrade a cluster.

Prerequisites

The cluster version is supported by the secret-free component. For more information, see the table above.
The Container Registry (ACR) instance is an Enterprise Edition instance.
Important
- The secret-free component supports only ACR Enterprise Edition instances and ACR Personal Edition instances created on or before September 8, 2024. If you cannot use the secret-free component, see How to use imagePullSecrets.
You have granted permissions to the RAM role used by the secret-free component.
Network connectivity is established between the ACR Enterprise Edition instance and the ACK cluster.
Configure network connectivity
Before you pull an image, ensure that the ACR Enterprise Edition instance and the ACK cluster can connect to each other and that the related domain names can be resolved. When you pull an image from an instance in the same account, you can use one of the following methods:
- ACR VPC access control: If the ACR Enterprise Edition instance and the ACK cluster are in the same region, the ACK cluster can access the ACR instance through a VPC. For more information, see Network access control.
- VPC peering connection: If the ACR instance and the ACK cluster are not in the same VPC, you can use a VPC peering connection to connect the two VPCs. This allows the ACK cluster to access the ACR Enterprise Edition instance. The VPC peering connection feature is free of charge if the VPCs are in the same region. It is a paid feature if the VPCs are in different regions. For more information, see Billing. To use this feature, the CIDR blocks of the two VPCs cannot overlap. If the CIDR blocks overlap, you must modify the existing network architecture.
  VPC peering connection procedure
  Configure internal DNS resolution for the ACR instance
  After you connect the ACR Enterprise Edition instance to the VPC, you can access the Enterprise Edition instance from the VPC using an internal endpoint. After the configuration is complete, you need to obtain the VPC ID and the internal IP address of the ACR Enterprise Edition instance.
  Obtain the domain names and IP addresses related to the ACR instance
  Obtain the domain name and IP address of the authentication service and the domain name and IP address of the associated OSS bucket that are used to access the ACR Enterprise Edition instance.
  Create a VPC peering connection and configure a route table
  You need to add a route that points to the peer VPC at each end of the VPC peering connection to enable private connectivity between the VPC of the ACK cluster and the VPC of the ACR Enterprise Edition instance. At the VPC peering connection end of the ACK cluster, you also need to configure routes for the IP address of the authentication service and the IP address of the associated OSS bucket.
  Resolve the domain name of the ACR instance for the ACK cluster
  You can use methods such as adding an internal DNS resolution record or using a custom data script for a node pool to modify the /etc/hosts file in batches. This resolves the domain name of the ACR instance to the internal IP address of the ACR instance for the ACK cluster. This way, traffic is forwarded to the VPC of the ACR instance through the route of the VPC peering connection.
- Internet: If the ACR Enterprise Edition instance and the ACK cluster have Internet access, you can also transfer images over the Internet. For more information, see Configure public access control for an ACR instance and Enable Internet access for a cluster.

Use the managed secret-free component

Step 1: Install the component

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Operations > Add-ons.
On the Add-ons page, select the Security tab. Find the Aliyun-acr-credential-helper (Managed) card and click Install.

On the Install Aliyun-acr-credential-helper page, you can view the AcrInstanceInfo configuration and other options. AcrInstanceInfo contains the configurations for each ACR instance associated with the component. The other options are component configurations. If you do not need to modify the namespaces or service accounts that the component monitors, you can keep the default settings.

After the component is installed, you can change its configuration. On the Add-ons page, click Configuration on the Aliyun-acr-credential-helper (Managed) card.

Configuration of associated ACR instances:

AcrInstanceInfo		Description
InstanceId		The ID of the ACR instance. You can obtain the ID in the Container Registry console. Important Leave this parameter empty for a Personal Edition ACR instance. This parameter is required for an Enterprise Edition ACR instance.
regionId		The region ID of the ACR instance. You can obtain the region ID in the Container Registry console. Important This parameter is required when you pull images across regions.
domains		The domain names that the secret-free plugin uses to access the ACR instance. By default, all domain names (public and VPC) of the specified ACR instance are used. To specify individual domain names, separate them with commas (,).
Configuration for pulling images across accounts This applies to scenarios where you pull images across accounts. If you do not have this requirement, leave the fields empty.	assumeRoleARN	Not required for pulling images within the same account. To pull images across accounts, see Pull images across accounts.
	expireDuration
	rrsaRoleARN
	rrsaOIDCProviderRoleARN

Component configuration

Configuration item	Description
Enable RRSA	Select this to enable RRSA. This is not required for pulling images within the same account. To pull images across accounts, see Pull images across accounts.
watchNamespace	The namespaces from which you want to pull images without a secret. The default value is `default`. A value of `all` means all namespaces. To specify multiple namespaces, separate them with commas (,). We recommend that you configure your business namespaces. Avoid configuring `all` or namespaces related to system components to prevent issues with pulling system component images.
serviceAccount	The service accounts that the managed secret-free component applies to. The default value is `Default`. A value of `Default` applies to the default service account in all specified namespaces. An asterisk (*) applies to all service accounts in the specified namespaces. To configure multiple service accounts, separate them with commas (,).
expiringThreshold	The expiration threshold for the component's credentials. The default value is `15m`. We recommend using 15 minutes. The component automatically renews the credentials 15 minutes before they expire.
notifyEmail	No configuration is required.

Step 2: Pull an image

After you install and configure the secret-free component, specify a service account that is associated with the component when you create a workload. This lets you pull images without a secret.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a service account that is associated with the secret-free component.
      containers:
      - name: nginx
        image: ******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest # Specify the address of the ACR image.
        ports:
        - containerPort: 80

Use the self-managed secret-free component

Step 1: Install the component

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Operations > Add-ons.
On the Add-ons page, click the Security tab. Find aliyun-acr-credential-helper and click Install.

On the Parameters page, select a permission mode for the component from the tokenMode drop-down list, and then click OK. After the component is installed, configure it before you pull an image. For more information, see Step 2: Change the component configuration (add an ACR instance).

tokenMode	Description
auto	(Recommended) The component detects the cluster creation time and automatically determines the permission mode. For clusters created before April 3, 2023, the workerRole mode is used. For clusters created on or after April 3, 2023, the managedRole mode is used. Important Versions of aliyun-acr-credential-helper released after April 3, 2023 provide configuration items to customize the RAM role that the component depends on. For more information, see [Product Change] Announcement on changing the permissions that aliyun-acr-credential-helper depends on.
managedRole	The component uses the AliyunCSManagedAcrRole role, which is granted permissions in the Prerequisites section, to obtain permissions.
workerRole	The component uses the cluster's worker RAM role to obtain permissions. You must grant specific permissions to the worker RAM role. Select workerRole as the component mode When you select workerRole as the permission mode, the cluster's worker RAM role must have the following permissions. For more information about how to grant permissions, see Grant permissions to a RAM role. `{ "Version": "1", "Statement": [ { "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": "", "Effect": "Allow" } ] }` Important* Select this mode to pull images across accounts using role assumption.

Step 2: Change the component configuration (add an ACR instance)

After the secret-free component is installed, you must configure the acr-configuration ConfigMap to add an ACR instance before you can pull an image. You can do this in the console or using kubectl.

Console

On the Clusters page, click the name of the one you want to change. In the left-side navigation pane, choose Configurations > ConfigMaps.

On the ConfigMaps page, select kube-system from the Namespace drop-down list. Then, click the acr-configuration ConfigMap and modify the configuration as described in the following table.

Component configuration	Description
watch-namespace	The namespaces from which you want to pull images without a secret. The default value is default. A value of all means all namespaces. To configure multiple namespaces, separate them with commas (,). We recommend that you configure your business namespaces. Avoid configuring `all` or namespaces related to system components to prevent issues with pulling system component images.
acr-api-version	Keep the default value.
expiring-threshold	Expiration threshold for local cache credentials.
acr-registry-info	An array of instance information for container images, in a multi-line YAML string format. Each instance is configured as a trituple. `instanceId`: The ID of the ACR instance. You can obtain the ID in the Container Registry console. Important Leave this parameter empty for a Personal Edition ACR instance. This parameter is required for an Enterprise Edition ACR instance. `regionId`: The region ID of the ACR instance. You can obtain the region ID in the Container Registry console. Important This parameter is required when you pull images across regions. See the configuration example below. `domains`: The domain names that the secret-free plugin uses to access the ACR instance. By default, all domain names of the ACR instance in `instanceId` are entered. To specify individual domain names, separate them with commas (,). Configuration example for cross-region pulls When you use multiple ACR instances in different regions, you must specify the ID and region for each ACR instance. `data: service-account: "default" watch-namespace: "all" expiring-threshold: "15m" notify-email: "c*@aliyuncs.com" acr-registry-info: \| - instanceId: "cri-instanceId" regionId: "cn-beijing" - instanceId: "cri-instanceId" regionId: "cn-hangzhou"`
service-account	Enables the password-free component for specified service accounts.

kubectl

Run the following command to edit acr-configuration as described in the following table.

kubectl edit cm acr-configuration -n kube-system

Key	Description	Value
service-account	The service accounts that are used by the aliyun-acr-credential-helper component to pull images.	Default value: default. Note Separate multiple service accounts with commas (,). An asterisk (`*`) specifies all service accounts in all namespaces.
acr-registry-info	The information about Container Registry instances. Each instance can be specified by three parameters of the string type in a YAML file. Note Parameters for specifying an instance: instanceId: the ID of the Container Registry instance. This field is required for Container Registry Enterprise Edition instances. regionId: the ID of the region where the Container Registry instance resides. This parameter is optional. The default value is the region where your ACK cluster resides. domains: the domain names of the Container Registry instance. This parameter is optional. By default, all domain names of the instance are specified. Separate multiple domain names with commas (,).	Sample configuration for a Container Registry Enterprise Edition instance: `- instanceId: <cri-instanceId> regionId: "cn-hangzhou" domains: "xxx.com,yyy.com"`
watch-namespace	The namespaces from which you want to pull images without using a secret.	Default value: default. A value of all specifies all namespaces in the Container Registry instance. Separate multiple namespaces with commas (,). Note We recommend that you set the values to your production namespaces. If you set the value to all or namespaces of the system components of the cluster, images in the namespaces may fail to be pulled.
expiring-threshold	The period of time after which the cached Secret expires.	Default value: 15m. Note We recommended that you use the default value. The default value specifies that the Secret is updated 15 minutes before the cached Secret expires.

Step 3: Pull an image

After you install and configure the secret-free component, specify a service account that is associated with the component when you create a workload. This lets you pull images without a secret.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a service account that is associated with the secret-free component.
      containers:
      - name: nginx
        image: ******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest # Specify the address of the ACR image.
        ports:
        - containerPort: 80

How to enable the feature to use service accounts immediately after creation

Important

To enable the feature to use service accounts immediately after creation, you must upgrade the secret-free component to v23.02.06.1-74e2172-aliyun or later.

After you enable the webhook feature, the secret-free component monitors changes to service accounts in the cluster using a webhook. When a new service account is created, the component immediately injects the secret-free Secret into it. This feature is useful in scenarios where a service account must be used immediately after it is created, such as when you use a Helm Chart to create a service account and a deployment at the same time. Because this feature affects component performance, we do not recommend that you enable it in other scenarios.

To enable this feature, add the following fields to acr-configuration:

data:
  webhook-configuration: |
    enable: true
    failure-policy: Ignore
    timeout-seconds: 10

Configuration item	Description
`enable`	Specifies whether to enable the webhook feature. `true`: Enable. `false`: Do not enable.
`failure-policy`	The policy for handling a service account when this feature encounters an exception. `Ignore`: Ignores the exception. The service account is created normally, but the Secret for pulling images might not be attached. `Fail`: Interrupts the creation of the service account if an exception occurs. This is not recommended because it might cause the business deployment to fail. Important Due to limitations of the cluster API Server, if `timeout-seconds` is set to `15`, `failure-policy` is set to `Fail`, and 10 service accounts are continuously created per second, the service accounts may fail to be created.
`timeout-seconds`	The timeout period for a single service account creation request for this feature. If the timeout period is exceeded, the system responds based on the `failure-policy` configuration. The default value is 10. The unit is seconds (s).

FAQ

Image pull still fails after the secret-free component is configured

The image pull may fail due to an incorrect configuration of the secret-free component. For example:

The instance information in the secret-free component does not match the ACR instance.
The image address used for pulling the image does not match the domain name in the component's instance information.

Follow the steps in this topic to troubleshoot the issue.

If the component is configured correctly but the pull still fails, the failure might be due to a conflict between the imagePullSecrets field that is manually entered in the workload YAML and the secret-free component. To resolve this issue, manually delete the imagePullSecrets field, and then delete and recreate the pod.

How to use imagePullSecrets

ACR Personal Edition instances created on or after September 9, 2024 do not support the secret-free component. For new ACR Personal Edition instances, we recommend that you save the username and logon password in a Secret and use it in the imagePullSecrets field.

Important

The secret-free component cannot be used at the same time as a manually entered imagePullSecrets field.
The Secret must be in the same namespace as the workload.

Example of using imagePullSecrets

Run the following command and replace the parameters with your own to create a Secret from a username and password.

kubectl create secret generic image-secret-1 \
  --docker-server=<registry-server> \
  --docker-username=<name> \
  --docker-password=<password> \
  --docker-email=<email>

Use the Secret in a workload:

apiVersion: apps/v1
kind: Deployment 
metadata:
  name: nginx-test
  namespace: default 
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx 
    spec:
      imagePullSecrets:
      - name: image-secret-1  # Use the Secret created in the previous step
      containers:
      - name: nginx 
        image: <acrID>.cr.aliyuncs.com/<repo>/nginx:latest  # Replace with the ACR link

References

For more information about how to use the secret-free component to pull images across accounts, see Pull images across accounts.
For the change history of the secret-free component, see aliyun-acr-credential-helper.