All Products
Search
Document Center

Configure password-free access to pull images from a Container Registry Enterprise Edition instance

Last Updated: May 19, 2022

To pull images from a Container Registry instance, you can configure password-free access to the instance to simplify configurations and accelerate the pulling of images. This topic describes how to configure password-free access to pull images from a Container Registry Enterprise Edition instance.

Prerequisites

The following requirements are met:

Background information

Container Registry provides Container Registry Personal Edition instances and Container Registry Enterprise Edition instances. Container Registry Enterprise Edition is an enterprise-grade platform used to manage the lifecycle of cloud native application artifacts. These artifacts include container images, Helm charts, and Open Container Initiative (OCI) artifacts. Container Registry Enterprise Edition can seamlessly integrate with Container Service for Kubernetes (ACK) in large-scale business deployment scenarios to simplify application delivery for enterprises. For more information, see What is Container Registry?

When you pull an image from an image repository of a Container Registry instance, the following situations exist:

  • For images in a Container Registry Personal Edition instance that belongs to the same account as the elastic container instance, you can pull the images without using a password.

  • For non-Container Registry images such as Docker images, you cannot pull the images without using a password. When you call an API operation to create an elastic container instance, you can use the ImageRegistryCredential parameter to pass in a password.

Configure password-free access to a Container Registry Enterprise Edition instance

In the Container Registry console, find the instance to which you want to configure password-free access and configure the following network access control settings:

  • Settings for access over the Internet

    After you enable Internet access, you can access images in the Container Registry Enterprise Edition instance across regions by using public domain names. For more information, see Configure access over the Internet.

    ACR2
  • Settings for access over virtual private clouds (VPCs)

    You must grant required permissions before you can allow access to the Container Registry Enterprise Edition instance over VPCs. For more information, see Configure access over VPCs.

    ACR1

After you configure the Container Registry Enterprise Edition instance, you can record the instance information such as the instance ID, instance name, and domain name for subsequent use.

Use the Kubernetes method to pull images from Container Registry Enterprise Edition instances without using passwords

You can add annotations to specify a Container Registry Enterprise Edition instance from which you want to pull images.

Note

You can specify only one Container Registry Enterprise Edition instance when you use the Kubernetes method. If you have multiple Container Registry Enterprise Edition instances that contain different images, we recommend that you put the images into a single Container Registry Enterprise Edition instance. If you want to configure multiple Container Registry Enterprise Edition instances, we recommend that you call an API operation.

Example:

  1. Prepare the YAML file.

    The following sample code provides an example of test_cri.yaml:

    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        k8s.aliyun.com/acr-instance-id: "cri-j36zhodptmyq****"      # Specify the ID of the Container Registry Enterprise Edition instance.
      name: cri-test
    spec:
      containers:
      - image: test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0   # Pull an image over the Internet.
        imagePullPolicy: Always
        name: nginx
      restartPolicy: Never
    Note

    Container Registry Enterprise Edition instances can be used across regions. Therefore, you can specify a Container Registry Enterprise Edition instance that resides in a region different from the region of the pod. To do this, you must prefix the region ID of the Container Registry Enterprise Edition to the ID of the Container Registry Enterprise Edition instance. Example: k8s.aliyun.com/acr-instance-id: "cn-beijing:cri-j36zhodptmyq****".

  2. Create a pod.

    kubectl apply -f test_cri.yaml

Call an API operation to pull images from Container Registry Enterprise Edition instances without using passwords

When you call the CreateContainerGroup API operation to create an elastic container instance, you can use AcrRegistryInfo-related parameters to configure password-free access. The following table describes the parameters. For more information, see CreateContainerGroup.

Note

When you use AcrRegistryInfo-related parameters to configure password-free access, you must specify the AcrRegistryInfo.N.InstanceId parameter.

Parameter

Type

Example

Description

AcrRegistryInfo.N.RegionId

String

cn-beijing

The region ID of Container Registry Enterprise Edition instance N.

AcrRegistryInfo.N.InstanceId

String

cri-nwj395hgf6f3****

The ID of Container Registry Enterprise Edition instance N.

AcrRegistryInfo.N.Domain.N

RepeatList

test****-registry.cn-beijing.cr.aliyuncs.com

Domain name N of Container Registry Enterprise Edition instance N. All domain names of instance N are displayed by default. You can specify domain names. Separate multiple domain names with commas (,).

AcrRegistryInfo.N.InstanceName

String

test****

The name of Container Registry Enterprise Edition instance N.

The following examples demonstrate how to specify AcrRegistryInfo-related parameters:

  • Example 1: Specify the region ID, ID, name, and domain names of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.RegionId':'cn-beijing',
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.Domain.1': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com',
    'AcrRegistryInfo.1.Domain.2': 'test****-registry.cn-beijing.cr.aliyuncs.com'
  • Example 2: Specify the ID and name of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********',
    'AcrRegistryInfo.1.InstanceName': 'test****'
  • Example 3: Specify only the ID of the Container Registry Enterprise Edition instance.

    'Container.1.Image': 'test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.1.Name': 'c1',
    'Container.2.Image': 'test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0',
    'Container.2.Name': 'c2',
    
    #AcrRegistryInfo
    'AcrRegistryInfo.1.InstanceId': 'cri-nwj395hg********'

You can also use SDKs to specify AcrRegistryInfo-related parameters. The following sample code provides an example on how to use SDK for Python to specify AcrRegistryInfo-related parameters.

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkeci.request.v20180808.CreateContainerGroupRequest import CreateContainerGroupRequest

client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-beijing')

request = CreateContainerGroupRequest()
request.set_accept_format('json')

request.set_SecurityGroupId("sg-2zeh4cev9y7ulbr*****")
request.set_VSwitchId("vsw-2zejlv7xjnw61w6z*****")
request.set_ContainerGroupName("test-cri")
request.set_Containers([
  {
    "Image": "test****-registry.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0",
    "Name": "nginx"
  },
  {
    "Image": "test****-registry-vpc.cn-beijing.cr.aliyuncs.com/eci_test/nginx:1.0",
    "Name": "nginx2"
  }
])
request.set_AcrRegistryInfos([
  {
    "RegionId": "cn-beijing",
    "InstanceId": "cri-nwj395hgf6f*****",
    "Domains": [
      "test****-registry-vpc.cn-beijing.cr.aliyuncs.com",
      "test****-registry.cn-beijing.cr.aliyuncs.com"
    ]
  }
])

response = client.do_action_with_exception(request)
# python2:  print(response) 
print(str(response, encoding='utf-8'))