Container Registry provides the aliyun-acr-credential-helper component to allow you to pull private images in Container Service for Kubernetes (ACK) clusters without secrets from instances of Container Registry Enterprise Edition and Personal Edition. This topic describes how to use the aliyun-acr-credential-helper component to pull a private image without secrets in different scenarios.
Prerequisites
Background information
The aliyun-acr-credential-helper component reads the configuration from the acr-configuration ConfigMap in the kube-system namespace of ACK clusters and pulls private images. You can pull private images by using one of the following policies:
- Default policy: Use the default RAM role to pull images. We recommend that you use this policy to pull images if the images are in the same account as the cluster.
- Configure an AccessKey ID and AccessKey secret for a sub accout to pull images. You can use this policy to pull images that are in an account different from the account of the cluster.
- Grant the AssumeRole permission to the RAM role to pull images. You can use this policy to pull images that are in an account different from the account of the cluster.
- Configure RAM Roles for Service Accounts (RRSA) to pull images. We recommend that you use this policy if you want to pull images that are in an account different from the account of the cluster.
Implementation mechanism
After you configure the aliyun-acr-credential-helper component, the component generates a secret in your cluster and associates the secret with the service account that you specified in the acr-configuration ConfigMap. For information about how to configure the aliyun-acr-credential-helper component, see Update and configure aliyun-acr-credential-helper. By default, all pods in this service account use the generated secret to pull images without using a password.Important If you create a service account to deploy applications, such as Helm charts, the service account requires a period of time to be associated with the secret that is generated by aliyun-acr-credential-helper. We recommend that you use the webhook feature to inject the secret into the service account before you pull images. For more information, see Other features.
Limits
The aliyun-acr-credential-helper component allows you to pull the following images in the following clusters:
- Images
- You can pull private images from the Container Registry instances that are in the same account as the current cluster account. You can also pull private images from the Container Registry instances that are in an account different from the current cluster account by granting permissions or by using an accessKey pair of a sub account.
- You can pull private images in scenarios in which you need to pull images from instances of Container Registry Enterprise Edition and Container Registry Personal Edition.
- Clusters
- You can pull images without secrets from multiple namespaces of a cluster in a batch.
- Supported cluster types:
- ACK dedicated clusters
- ACK managed clusters
- Supported cluster versions:
- ACK dedicated clusters: By default, clusters of v1.11.2 or later support image pulling without using a password. If the cluster version is earlier than v1.11.2, you must update the cluster version. For more information, see Update the Kubernetes version of an ACK cluster.
- Managed Kubernetes clusters: All versions.
Precautions
Ensure that aliyun-acr-credential-helper can take effect
- Do not use the imagePullSecret parameter to configure a secret that is used to pull images in the template of a Kubernetes resource, such as a Deployment.
- If a Kubernetes resource, such as a Deployment, uses a custom service account, you must modify the service-account parameter in the configuration file of the aliyun-acr-credential-helper component. This way, the component is authorized to pull images by using the custom service accounts.
- Check whether the private image that you want to pull resides in the same region as your ACK cluster. By default, you can pull private images only from Container Registry instances that reside in the same region as your ACK cluster. If you want to pull images from Container Registry instances that reside in different regions from your ACK cluster, see Scenario 2 in this topic.
- After you create a service account in a cluster, the service account requires a period of time to be associated with the secret that is generated by aliyun-acr-credential-helper. When the service account is associated with the secret, applications that are in the service account can pull images based on the secret. If you use an application in the service account to pull images immediately after you create a service account, images may fail to be pulled because the service account is not associated with the secret that is generated by aliyun-acr-credential-helper.
- By default, the value of the service-account parameter in the acr-configuration ConfigMap in aliyun-acr-credential-helper overwrites the value of the imagePullSecrets parameter of service accounts in all namespaces in the ACK cluster.
- When you modify the acr-configuration ConfigMap in the kube-system namespace, make sure that you use the same indentation as the example that is provided in this topic. We recommend that you paste the YAML code that is provided in this topic to the editor, replace the corresponding values, and apply the configuration. This ensures that the format of the ConfigMap is valid.
Prevent the AccessKey pair of the RAM role from being leaked
If you pull images by using the AccessKey ID and AccessKey secret of a RAM role, you must specify the AccessKey pair in the acr-configuration ConfigMap. This may disclose the AccessKey pair. To ensure the security of the AccessKey pair, make sure that the RAM role is granted only the permissions that are required to pull images. We do not recommend that you use the AccessKey pair method to pull images.
Update and configure aliyun-acr-credential-helper
Before you use aliyun-acr-credential-helper to pull images, you may need to update and configure the component. Perform the following steps:
- Update aliyun-acr-credential-helper. For more information about aliyun-acr-credential-helper, see aliyun-acr-credential-helper. Updating the component does not negatively impact workloads.
- Log on to the ACK console and click Clusters in the left-side navigation pane.
- On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
- On the Add-ons page, click the Security tab, find aliyun-acr-credential-helper, and then click Upgrade.
- Configure the acr-configuration ConfigMap. Mode 1: Configure the acr-configuration ConfigMap in the ACK consoleMode 2: Configure the acr-configuration ConfigMap by using kubectlThe following table describes the keys and values of the acr-configuration ConfigMap.
Key Description Value service-account The service accounts that are used by the aliyun-acr-credential-helper component to pull images. Default value: default. Note Separate multiple service accounts with commas (,). Enter an asterisk (*) to specify all service accounts in all namespaces.acr-registry-info The information about Container Registry instances. Each instance can be specified by three parameters of the string type in a YAML file. Note Configure the parameters based on the following descriptions:- instanceId: the ID of the Container Registry instance. You must configure this parameter if you pull images from Container Registry Enterprise Edition instances.
- regionId: the ID of the region where the Container Registry instance resides. This parameter is optional. The default value is the region where your ACK cluster resides.
- domains: the domain names of the Container Registry instance. This parameter is optional. By default, all domain names of the instance are specified. Separate multiple domain names with commas (,).
This parameter is left empty by default. This indicates that images are pulled from a Container Registry Personal Edition instance in the same region as the cluster without using a password. Leave the parameter empty when you need to pull images from instances of Personal Edition and Enterprise Edition. Sample configurations for a Container Registry Enterprise Edition instance:- instanceId: "cri-instanceId" regionId: "cn-hangzhou" domains: "xxx.com,yyy.com"watch-namespace The namespaces from which you want to pull images without secrets. Default value: default. Note If the value is set to all, images can be pulled from all namespaces in the cluster without using a password. Separate multiple namespaces with commas (,).expiring-threshold The period of time after which the cached secret expires. Default value: 15m. Note We recommended that you use the default value. The default value specifies to update the secret 15 minutes before the cached secret expires.
Scenario 1: Pull images by using the same account as the cluster
Before you pull images by using the same account as the cluster, make sure that the account is granted the permissions that are required to pull images from Container Registry instances.
- Log on to the ACK console and click Clusters in the left-side navigation pane.
- On the Clusters page, find the cluster. Click the name of the cluster in the Cluster Name/ID column, or click Details in the Actions column corresponding to the cluster.
- On the Cluster Information page, click the Cluster Resources tab, and then click the hyperlink next to Worker RAM Role.
- On the Roles page, click the Permissions tab and click the policy name in the Policy column.
- Check whether the policy document contains the following content. If the policy document does not contain the following content, click Modify Policy Document. Add the following content to the policy document and then click OK.
Modify the acr-configuration ConfigMap based on the following sample code to pull private images of the Container Registry Enterprise Edition instance. For information about how to configure acr-configuration, see 2.{ "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": "*", "Effect": "Allow" }data: service-account: "default" watch-namespace: "all" expiring-threshold: "15m" notify-email: "cs@aliyuncs.com" acr-registry-info:| - instanceId: "cri-instanceId" regionId: "cn-hangzhou" domains: "instance.default.domain.com,instance.custom.domain.com"
Scenario 2: Pull images that are in a region different from the cluster
If the images that you want to pull reside in regions different from your ACK cluster, you must modify the acr-configuration ConfigMap.
For example, if you want to pull images from Container Registry instances that reside in the China (Beijing) and China (Hangzhou) regions in a batch, modify the acr-configuration ConfigMap, as shown in the following sample code. For information about how to configure acr-configuration, see Configure the acr-configuration ConfigMap.
Important After you enable cross-region image pulling, the aliyun-acr-credential-helper component calls API operations over the Internet. The cluster must be allowed to access the Internet.
data:
service-account: "default"
watch-namespace: "all"
expiring-threshold: "15m"
notify-email: "cs@aliyuncs.com"
acr-registry-info: |
- instanceId: "cri-instanceId"
regionId: "cn-beijing"
- instanceId: "cri-instanceId"
regionId: "cn-hangzhou" Scenario 3: Pull images that are in an account different from your cluster account
You can use one of the following permission modes to pull images that are in an account different from your cluster account:
- Configure RRSA: Account A assumes the role of Account B to pull private images from a Container Registry instance of Account B.
- Assume a role: Account A assumes the role of Account B to pull private images from a Container Registry instance of Account B.
- Use the AccessKey pair of the RAM role of Account B: Account A assumes a RAM role of Account B to pull private images from a Container Registry instance of Account B.
Configure RRSA to pull images that are in an account different from the cluster account
The RRSA feature can be used to perform access control on pods in a cluster.
Prerequisites
You can configure RRSA to pull images from instances of Container Registry Enterprise Edition (including Basic Edition, Standard Edition, and Advanced Edition) in clusters of v1.22 and later. Clusters of v1.22 and later include ACK standard clusters, ACK Pro clusters, ASK standard clusters, and ASK Pro clusters.
Important
- To enable the RRSA feature, you need to upgrade aliyun-acr-credential-helper to v23.02.06.1-74e2172-aliyun or later.
- After you enable the RRSA feature, the secrets that are generated by aliyun-acr-credential-helper cannot be used to pull private images of Container Registry Personal Edition instances. After you enable the RRSA feature, you cannot use other authentication methods that are described in this topic, such as the AccessKey pair method and the method in which images are pulled from Container Registry instances in the same account as the cluster.
Enable the RRSA feature for the cluster
- Method 1: Enable RRSA in the ACK console
- Log on to the ACK console and click Clusters in the left-side navigation pane.
- On the Clusters page, find the cluster. Click the name of the cluster in the Cluster Name/ID column, or click Details in the Actions column.
- On the Cluster Information page, click the Basic Information tab and click Enable RRSA next to RRSA OIDC.
- In the Enable RRSA message, click Confirm.
After the cluster status changes from Updating to Running, the RRSA feature is enabled for the cluster and the OIDC (OpenID Connect) provider URL is displayed next to RRSA OIDC.
- Method 2: Enable RRSA by using ack-ram-toolTo enable RRSA by using the ack-ram-tool command line interface (CLI), run the following command. Replace <cluster_id> in the command with the ID of the cluster that you want to manage.
ack-ram-tool rrsa enable -c <cluster_id>
Enable the RRSA feature for aliyun-acr-credential-helper
After the RRSA feature is enabled for the cluster, you must perform the following steps to enable RRSA for aliyun-acr-credential-helper. For example, the current cluster is in Account A and the Container Registry instance is in Account B. If you want to pull images of the Container Registry instance, you must authorize Account A to access the Container Registry resources of Account B.
- Configure a RAM role for Account ACreate a RAM role in Account A and modify the trust policy of the RAM role.
- Replace <oidc_issuer_url> in the example with the OIDC provider URL of the cluster. You can obtain the OIDC provider URL on the Basic Information tab of the Cluster Information page in the ACK console.
- Replace <oidc_provider_arn> in the example with the OIDC provider ARN (Alibaba Cloud Resource Name) of the cluster. You can obtain the OIDC provider ARN on the Basic Information tab of the Cluster Information page in the ACK console.
{ "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "oidc:aud": "sts.aliyuncs.com", "oidc:iss": "<oidc_issuer_url>", "oidc:sub": "system:serviceaccount:kube-system:aliyun-acr-credential-helper" } }, "Effect": "Allow", "Principal": { "Federated": [ "<oidc_provider_arn>" ] } } ], "Version": "1" } - Configure a RAM role for Account BCreate a RAM role for Account B. Associate the following policy with the RAM role to grant the role the permissions that are required to obtain the information about Container Registry instances and pull images from the instances.
{ "Version": "1", "Statement": [ { "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": "*", "Effect": "Allow" } ] }You can configure the MaxSessionDuration parameter for the RAM role. Valid values of this parameter range from 3600 to 43200 seconds. You must configure the expireDuration parameter when you modify parameters of aliyun-acr-credential-helper. We recommend that you specify the same value for MaxSessionDuration and expireDuration. The value of expireDuration can be less than or equal to the value of MaxSessionDuration.
- Authorize Account A to assume the role of Account B
In the RAM role of Account B that is granted permissions on Container Registry instances, click the Trust Policy Management tab and add the ARN of the RAM role of Account A.
Associate the AliyunSTSAssumeRoleAccess policy with the RAM role of Account A to grant the RAM role the permissions that are required to assume the role of Account B.
Modify parameters of aliyun-acr-credential-helper
Modify the configurations of aliyun-acr-credential-helper based on the following content.
data:
rrsa: |
enable: true
acr-registry-info: |
- instanceId: cri-xxx
regionId: cn-hangzhou
rrsaRoleARN: aUserRoleARN
rrsaOIDCProviderRoleARN: aUserClusterOIDCProviderRoleARN
assumeRoleARN: bUserRoleARN
expireDuration: 3600| Key | Description | Value |
|---|---|---|
| rrsaRoleARN | The ARN of the RAM role that you created for Account A. | acs:ram::aaa |
| rrsaOIDCProviderRoleARN | The ARN of the OIDC provider that you obtained on the Basic Information tab of the Cluster Information page in the ACK console. | acs:ram::bbb |
| assumeRoleARN | The ARN of the RAM role that you created for Account B. | acs:ram::ccc |
| expireDuration | The session period of the RAM role that you created for Account B. The session period is equal to the validity period of the secret that is generated by aliyun-acr-credential-helper. Important The expireDuration value cannot be greater than the MaxSessionDuration value of the RAM role of Account B. | Default value: 3600. Maximum value: 43200. Unit: seconds. Set MaxSessionDuration of the RAM role of Account B to 43200. |
Assume a role of the account to pull images that are in an account different from the cluster account
Assume a role to pull images that are in an account different from the cluster account
Note
Configuration principles:
- Account B or its RAM role is authorized to pull private images from a specified private repository. This principle requires you to grant the cr.* permissions to the RAM role of Account B.
- Account B or the RAM role of Account B allows the worker role of the ACK cluster in account A to assume Account B or the RAM role of Account B. This principle requires you to modify the trust policy of Account B or the RAM role of Account B.
- The worker role of the ACK cluster in Account A is authorized to assume Account B or the RAM role of Account B. This principle requires you to associate the AliyunAssumeRoleAccess policy with the worker role of Account A.
- The worker role of the ACK cluster in Account A can assume Account B or the RAM role of Account B. This principle requires you to specify the worker role as the assumeRoleARN parameter in the acr-configuration ConfigMap.
- Create a RAM role for Account B. Specify Alibaba Cloud Account as the trusted entity of the RAM role. Make sure that the RAM role is granted the permissions that are required to pull private images from Container Registry instances of Account B.
- Create a RAM role for Account B.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
- Define the permissions in the policy that is associated with the RAM role of Account B. Make sure that the RAM role is granted the permissions that are required to pull private images from Container Registry instances of Account B. For more information, see Modify the document and description of a custom policy.Important Make sure that the RAM role is granted the permissions of cr.*.
``` { "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": [ "*" ], "Effect": "Allow" } ```The following figure shows the location where the content is added.
- Create a RAM role for Account B.
- Modify the trust policy of the RAM role of Account B. This way, the RAM role of Account B allows the worker role of the ACK cluster in Account A to assume the RAM role of Account B. Obtain the ARN of the worker role of the ACK cluster.
- For more information, see How do I view the ARN of a RAM role?
- Modify the trust policy of the RAM role of Account B.
- Log on to the RAM console. In the left-side navigation pane, click Roles. On the Roles page, find the RAM role of Account B and click the role name.
- On the Basic Information page of the RAM role of Account B, click the Trust Policy Management tab, and add the ARN of the worker role of the ACK cluster in Account A to the Principal field of the trust policy.
- Check whether the worker role of the ACK cluster in Account A is granted the AssumeRole permission.
For more information, see View the basic information about a policy.
- Add the assumeRoleARN parameter to the configuration file of the aliyun-acr-credential-helper component. Set the value of the assumeRoleARN parameter to the ARN of the RAM role of Account B. For information about how to obtain the ARN, see How do I view the ARN of a RAM role? The following YAML file shows the sample configuration. For more information, see Configure the acr-configuration ConfigMap.
data: service-account: "default" watch-namespace: "all" expiring-threshold: "15m" notify-email: "cs@aliyuncs.com" acr-registry-info: | - instanceId: "" regionId: "cn-beijing" domains: "registry.cn-beijing.aliyuncs.com" assumeRoleARN: "acs:ram::.*:role/kubernetesworkerrole-test" expireDuration: 3600
Use the accessKey pair of a sub account to pull images that are in an account different from the cluster account
Use the accessKey pair of a sub account to pull images that are in an account different from the cluster account
- Create a RAM role for your account and grant the RAM role the permissions that are required to pull cr images in your account. For information about how to grant the permissions that are required to pull cr images, see Scenario 3: Pull images that are in an account different from your cluster account.
- Configure the acr-configuration ConfigMap in the kube-system namespace. Enter the AccessKey ID and AccessKey secret of the RAM user that you created.
This way, aliyun-acr-credential-helper can use the RAM role to pull private images. For information about how to obtain the AccessKey pair, see View the information about AccessKey pairs of a RAM user.
The following sample code provides an example on how to configure acr-configuration. For more information, see Configure the acr-configuration ConfigMap.data: service-account: "default" watch-namespace: "all" expiring-threshold: "15m" notify-email: "cs@aliyuncs.com" acr-registry-info: | - instanceId: "" customAccessKey: "xxxxx" // Enter the AccessKey ID of the RAM role. customAccessKeySecret: "xxxxxx" // Enter the AccessKey secret of the RAM role.
Other features
Pull private images from a Container Registry Personal Edition instance
When you migrate images from a Container Registry Personal Edition instance to an Enterprise Edition instance, you may need to pull private images from the Enterprise Edition instance and the Personal Edition instance. In this case, you must modify the acr-configuration ConfigMap based on the following "Configuration method" section. For more information, see 2.
data:
service-account: "default"
watch-namespace: "all"
expiring-threshold: "15m"
notify-email: "cs@aliyuncs.com"
acr-registry-info: |
- instanceId: ""
- instanceId: "cri-xxxx"Instant use of service accounts
If you create a service account together with a Deployment by using Helm charts, you may need the system to generate a secret for the service account without latency. In this case, you can enable the "instant use of service accounts" feature. We do not recommend that you enable this feature in other scenarios.
Important To enable the instant use of service accounts feature, you need to upgrade aliyun-acr-credential-helper to v23.02.06.1-74e2172-aliyun or later.
Configuration method
After you update aliyun-acr-credential-helper to the latest version, modify the configurations of the acr-configuration ConfigMap based on the following content. For more information, see Configure the acr-configuration ConfigMap.
data:
webhook-configuration: |
enable: true
failure-policy: Ignore
timeout-seconds: 10| Key | Description | Value |
|---|---|---|
| enable | Whether to enable the "instant use of service accounts" feature. | Valid values: true and false. Default value: false. |
| failure-policy | The failure handling policy when an exception occurs in the "instant use of service accounts" feature. | Valid values: Ignore and Fail. If you set this parameter to Ignore, the service account is created even if an exception occurs during the creation process. Secrets may not be generated. If you set this parameter to Fail, the creation process of the service account is interrupted when an exception occurs. We do not recommend that you set this parameter to Fail because this setting may cause workload deployment to fail. Due to the limits of cluster API servers, when timeout-seconds is set to 15, failure-policy is set to Fail and 10 service accounts are created per second for a period of time, service accounts may fail to be created due to timeout errors. |
| timeout-seconds | The timeout period for processing a single request that is sent to create service accounts. If the timeout period elapses, feedback is provided based on the failure-policy configuration. | Default value: 10. Unit: seconds. You do not need to specify the unit. |