All Products
Search
Document Center

Pull images from a Container Registry Enterprise Edition instance without a password

Last Updated: May 19, 2022

You can pull images from a Container Registry Enterprise Edition instance without a password. This accelerates image pulling. This topic describes how to pull images from a Container Registry Enterprise Edition instance without a password.

Prerequisites

Make sure that the following operations are completed:

Background information

Container Registry provides Container Registry Enterprise Edition instances and default instances. Container Registry Enterprise Edition is an enterprise-grade platform used to manage the lifecycle of cloud-native application artifacts. These artifacts include container images, Helm charts, and Open Container Initiative (OCI) artifacts. Container Registry Enterprise Edition seamlessly integrates with Container Service for Kubernetes (ACK) and helps simplify application delivery for enterprises in large-scale business deployment scenarios. For more information, see What is Container Registry?

You can pull an image from an image repository of a Container Registry instance by using one of the following methods:

  • If a Container Registry image belongs to the same account as the elastic container instance, you can pull the image without a password.

  • If an image is a Docker image instead of a Container Registry image, you cannot pull the image without a password. When you call the API operation to create an elastic container instance, you can use the ImageRegistryCredential parameter to specify a password.

Pull images from a Container Registry Enterprise Edition instance without a password

In the Container Registry console, find the instance that you want to manage and configure network access control based on the following information:

  • Over the Internet

    After you enable Internet access, you can access images in the Container Registry Enterprise Edition instance across regions by using public endpoints. For more information, see Configure access over the Internet.

    ACR2
  • Over virtual private clouds (VPCs)

    If you want to access a Container Registry Enterprise Edition instance over VPCs, you must connect the Container Registry Enterprise Edition instance to the VPCs. For more information, see Configure access over VPCs.

    ACR1

After you configure the Container Registry Enterprise Edition instance, you can record the instance information such as the instance ID, instance name, and endpoint.

Use Kubernetes to pull images from a Container Registry Enterprise Edition instance without a password

You can add annotations to specify the Container Registry Enterprise Edition instance from which you want to pull images.

Note

You can specify only one Container Registry Enterprise Edition instance when you use Kubernetes. If you have multiple Container Registry Enterprise Edition instances that contain different images, we recommend that you push the images to one Container Registry Enterprise Edition instance. If you want to configure multiple Container Registry Enterprise Edition instances, we recommend that you call the API operation.

Example:

  1. Prepare the YAML file.

    The following YAML file named test_cri.yaml is used as an example:

    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        k8s.aliyun.com/acr-instance-id: "cri-j36zhodptmyq****"      # Specify the ID of the Container Registry Enterprise Edition instance.
      name: cri-test
    spec:
      containers:
      - image: test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0   # Pull an image over the Internet.
        imagePullPolicy: Always
        name: nginx
      restartPolicy: Never
    Note

    You can pull images from a Container Registry Enterprise Edition instance that resides in a region different from the region of the elastic container instance-based pod. To do this, you must add the region ID of the Container Registry Enterprise Edition instance before the ID of the Container Registry Enterprise Edition instance. Example: k8s.aliyun.com/acr-instance-id: "cn-beijing:cri-j36zhodptmyq****".

  2. Create a pod.

    kubectl apply -f test_cri.yaml

Call the API operation to pull images from a Container Registry Enterprise Edition instance without a password

When you call the CreateContainerGroup API operation to create an elastic container instance, you can use the AcrRegistryInfo parameters to pull images from a Container Registry Enterprise Edition instance without a password. The following table describes the parameters. For more information, see CreateContainerGroup.

Note

When you use the AcrRegistryInfo parameters to pull images from a Container Registry Enterprise Edition instance without a password, you must specify the AcrRegistryInfo.N.InstanceId parameter.

Parameter

Type

Example

Description

AcrRegistryInfo.N.RegionId

String

cn-beijing

The region ID of the Container Registry Enterprise Edition instance.

AcrRegistryInfo.N.InstanceId

String

cri-nwj395hgf6f3****

The ID of the Container Registry Enterprise Edition instance.

AcrRegistryInfo.N.Domain.N

RepeatList

test****-registry.cn-beijing.cr.aliyuncs.com

The endpoints of the Container Registry Enterprise Edition instance. By default, all endpoints of the Container Registry Enterprise Edition instance are displayed. You can specify one or more endpoints. Separate multiple endpoints with commas (,).

AcrRegistryInfo.N.InstanceName

String

test****

The name of the Container Registry Enterprise Edition instance.

The following examples demonstrate how to specify the AcrRegistryInfo parameters:

  • Example 1: Specify the region ID, ID, name, and endpoints of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.RegionId':'cn-beijing',
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.Domain.1': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com',
    'AcrRegistryInfo.1.Domain.2': 'test****-registry.cn-beijing.cr.aliyuncs.com'
  • Example 2: Specify the ID and name of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.InstanceName': 'test****'
  • Example 3: Specify only the ID of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********'

You can also use SDKs to specify the AcrRegistryInfo parameters. The following sample code provides an example on how to use the SDK for Python to specify the AcrRegistryInfo parameters.

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkeci.request.v20180808.CreateContainerGroupRequest import CreateContainerGroupRequest

client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-beijing')

request = CreateContainerGroupRequest()
request.set_accept_format('json')

request.set_SecurityGroupId("sg-2zeh4cev9y7ulbr*****")
request.set_VSwitchId("vsw-2zejlv7xjnw61w6z*****")
request.set_ContainerGroupName("test-cri")
request.set_Containers([
  {
    "Image": "test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0",
    "Name": "nginx"
  },
  {
    "Image": "test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0",
    "Name": "nginx2"
  }
])
request.set_AcrRegistryInfos([
  {
    "RegionId": "cn-beijing",
    "InstanceId": "cri-nwj395hgf6f*****",
    "Domains": [
      "test****-registry-vpc.cn-beijing.cr.aliyuncs.com",
      "test****-registry.cn-beijing.cr.aliyuncs.com"
    ]
  }
])

response = client.do_action_with_exception(request)
# python2:  print(response) 
print(str(response, encoding='utf-8'))