All Products
Document Center

Container Registry:Pull images without using a secret

Last Updated:Apr 02, 2024

The aliyun-acr-credential-helper secret-free component allows you to pull container images in various Container Service for Kubernetes (ACK) clusters without the need to configure a secret. You only need to configure the Container Registry instance and the effective scope of the secret-free component in the cluster.

Usage description

The secret-free component is available in two editions: the standard edition and the managed edition. The standard edition component is installed in the clusters on the user side, and the managed edition is hosted on the control plane of the cluster. The two editions of the secret-free component provide features in different ways. You can install a component edition based on your requirements. The following table describes the differences when the two editions of the component provide features.


Standard edition

Managed edition

Supported clusters and versions

ACK Pro clusters and ACK dedicated clusters that are later than v1.20.0.

ACK Pro clusters, ACK Serverless clusters, and ACS clusters that are later than v1.22.0.

Query component logs


Not supported.

Method that is used to modify configuration items

Modify the ConfigMap.

Use the Container Registry console.

Mode that is used to implement cross-account image pulls

Worker role, RAM Roles for Service Accounts (RRSA), and AccessKey pair.


Inject secrets to service accounts without a delay


Not supported.

Number of secrets

Multiple secrets exist in the namespace.

A single secret exists in the namespace.

Position in which the component is deployed

In the kube-system namespace of the cluster.

In the control plane of the cluster.


The two editions of the secret-free component cannot be installed at the same time. To use one of the editions, uninstall the other edition first.