Overview
This document describes how to orchestrate containers that are created from private images in a Container Service for Kubernetes (ACK) cluster.
Details
You can orchestrate containers that are created from private images in an ACK cluster. You can create a secret and use it to orchestrate containers. You can also implement orchestration without a secret.
Use a secret to orchestrate containers
- Connect to a master node of an ACK cluster by using kubectl. For more information, see Use kubectl to connect to an ACK cluster.
- Run the following command to create a secret for pulling private images:
kubectl create secret docker-registry [$Reg_Secret] --docker-server=[$Registry] --docker-username=[$Username] --docker-password=[$Password] --docker-email=[$Email]
Note:
- [$Reg_Secret]: the name of the secret, which can be customized.
- [$Registry]: the address of the Docker registry.
- [$Username]: the username used to log on to the Docker registry.
- [$Password]: the password used to log on to the Docker registry.
- [$Email]: optional. The email address.
- Add the imagePullSecrets parameter to the YAML file used for container orchestration, as shown in the following code:
containers:
- name: foo
image: [$Registry]/abc/test:1.0
imagePullSecrets:
- name: [$Reg_Secret]Note:
- imagePullSecrets specifies the secret used to pull images.
- For more information, see the Using a private registry section of the Images topic.
Implement orchestration without a secret
To prevent referencing a secret each time you use private images for deployment, you can add the secret to the default service account of the namespace. For more information, see the Add ImagePullSecrets to a service account section of the Configure Service Accounts for Pods topic. In this example, the default service account of the namespace is manually configured to use this secret as the secret for pulling images.
- Run the following command to view the created secret:
kubectl get secret [$Reg_Secret]
The following output is returned:NAME TYPE DATA AGE
[$Reg_Secret] kubernetes.io/dockerconfigjson 1 13m - Run the following commands in sequence to export the configuration of the default service account to the sa.yaml file and view the file:
kubectl get serviceaccounts default -o yaml > ./sa.yaml
The following output is returned:
cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
resourceVersion: "243024" ##Pay attention to the
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge - Open the sa.yaml file, delete the resourceVersion parameter, and then add the imagePullSecrets parameter to specify the secret for pulling images. The following code shows the modified configuration:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-****-11e5-****-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets: ##Pay attention to the
- name: regsecret - Run the following command to update the default service account by using the sa.yaml file:
kubectl replace serviceaccount default -f ./sa.yaml
The following output is returned:serviceaccount "default" replaced
- Run the kubectl create -f command to create a Tomcat pod. The following configuration is used:
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
labels:
app: tomcat
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: tomcat
image: [$Registry]/abc/test:1.0
ports:
- containerPort: 8080 - If the configuration is valid, the pod is started. Run the following command to view the imagePullSecrets parameter:
kubectl get pod tomcat-XXX -o yaml
The following output is returned. Check whether the orchestration without the secret is successful.
spec:
imagePullSecrets:
- nameregsecretey
Applicable scope
- ACK