All Products
Search
Document Center

How Do I Orchestrate Containers That Are Created from Private Images in an ACK Cluster

Last Updated: Jun 03, 2021

Overview

This document describes how to orchestrate containers that are created from private images in a Container Service for Kubernetes (ACK) cluster.

Details

You can orchestrate containers that are created from private images in an ACK cluster. You can create a secret and use it to orchestrate containers. You can also implement orchestration without a secret.

Use a secret to orchestrate containers

  1. Connect to a master node of an ACK cluster by using kubectl. For more information, see Use kubectl to connect to an ACK cluster.
  2. Run the following command to create a secret for pulling private images:
    kubectl create secret docker-registry [$Reg_Secret] --docker-server=[$Registry] --docker-username=[$Username] --docker-password=[$Password] --docker-email=[$Email]
    Note :
    • [$Reg_Secret]: the name of the secret, which can be customized.
    • [$Registry]: the address of the Docker registry.
    • [$Username]: the username used to log on to the Docker registry.
    • [$Password]: the password used to log on to the Docker registry.
    • [$Email]: optional. The email address.
  3. Add the imagePullSecrets parameter to the YAML file used for container orchestration, as shown in the following code:
    containers:
        - name: foo
          image: [$Registry]/abc/test:1.0
    imagePullSecrets:
        - name: [$Reg_Secret]
    Note:
    • imagePullSecrets specifies the secret used to pull images.
    • For more information, see the Using a private registry section of the Images topic.

Implement orchestration without a secret

To prevent referencing a secret each time you use private images for deployment, you can add the secret to the default service account of the namespace. For more information, see the Add ImagePullSecrets to a service account section of the Configure Service Accounts for Pods topic. In this example, the default service account of the namespace is manually configured to use this secret as the secret for pulling images.

  1. Run the following command to view the created secret:
    kubectl get secret [$Reg_Secret]
    The following output is returned:
    NAME          TYPE                             DATA      AGE
    [$Reg_Secret] kubernetes.io/dockerconfigjson   1         13m
  2. Run the following commands in sequence to export the configuration of the default service account to the sa.yaml file and view the file:
    kubectl get serviceaccounts default -o yaml > ./sa.yaml
    cat sa.yaml
    The following output is returned:
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      creationTimestamp: 2015-08-07T22:02:39Z
      name: default
      namespace: default
      resourceVersion: "243024"             ##Pay attention to the
      selfLink: /api/v1/namespaces/default/serviceaccounts/default
      uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
    secrets:
    - name: default-token-uudge
  3. Open the sa.yaml file, delete the resourceVersion parameter, and then add the imagePullSecrets parameter to specify the secret for pulling images. The following code shows the modified configuration:
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      creationTimestamp: 2015-08-07T22:02:39Z
      name: default
      namespace: default
      selfLink: /api/v1/namespaces/default/serviceaccounts/default
      uid: 052fb0f4-****-11e5-****-42010af0d7b6
    secrets:
    - name: default-token-uudge
    imagePullSecrets:                ##Pay attention to the
    - name: regsecret
  4. Run the following command to update the default service account by using the sa.yaml file:
    kubectl replace serviceaccount default -f ./sa.yaml
    The following output is returned:
    serviceaccount "default" replaced
  5. Run the kubectl create -f command to create a Tomcat pod. The following configuration is used:
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: tomcat-deployment
      labels:
        app: tomcat
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: tomcat
      template:
        metadata:
          labels:
            app: tomcat
        spec:
          containers:
          - name: tomcat
            image: [$Registry]/abc/test:1.0
            ports:
            - containerPort: 8080
  6. If the configuration is valid, the pod is started. Run the following command to view the imagePullSecrets parameter:
    kubectl get pod tomcat-XXX -o yaml
    The following output is returned. Check whether the orchestration without the secret is successful.
    spec:
      imagePullSecrets:
      - nameregsecretey

Applicable scope

  • ACK