We need to integrate to pull an image from the Kubernetes node, which requires a long-lived credential that can be stored to the Kubernetes secret. To do that, perform the following steps:
- Create a GCP service account (container-sa):
$ gcloud iam service-accounts create container-sa
Created service account [container-sa].
//full name is as below
$ gcloud iam service-accounts list | grep container
[email protected]
- Assign container-sa (use full name) to the roles/storage.admin role:
$ gcloud projects add-iam-policy-binding kubernetes-cookbook
> --member serviceAccount:[email protected]
> --role=roles/storage.admin
-
Generate a key file (container-sa.json) for container-sa:
$ gcloud iam service-accounts keys create container-sa.json
> --iam-account [email protected]
created key [f60a81235a1ed9fbce881639f621470cb087149c] of type [json] as [container-sa.json] for [[email protected]]
- Use docker login to check whether the key file is working or not:
//note that username must be _json_key
$ cat container-sa.json | docker login --username _json_key --password-stdin gcr.io
Login Succeeded
- Use docker pull to check whether you can pull from container registry or not:
$ docker pull gcr.io/kubernetes-cookbook/my-nginx
Using default tag: latest
latest: Pulling from kubernetes-cookbook/my-nginx
e7bb522d92ff: Pulling fs layer
6edc05228666: Pulling fs layer
...
Looks all fine! Now you can use the Kubernetes secret the exact same way with the private registry or AWS ECR.
- Create a Kubernetes secret (my-gcr-secret) to specify _json_key and container-sa.json:
$ kubectl create secret docker-registry my-gcr-secret
> --docker-server=gcr.io
> --docker-username=_json_key
> --docker-password=`cat container-sa.json`
> [email protected]
secret "my-gcr-secret" created
- Specify my-gcr-secret to imagePullSecrets to launch a pod:
$ cat private-nginx-gcr.yaml
apiVersion: v1
kind: Pod
metadata:
name: private-nginx-gcr
spec:
containers:
- name: private-nginx-gcr
image: gcr.io/kubernetes-cookbook/my-nginx
imagePullSecrets:
- name: my-gcr-secret
$ kubectl create -f private-nginx-gcr.yaml
pod "private-nginx-gcr" created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
private-nginx-gcr 1/1 Running 0 47s
Congratulations! Now you can use Google container registry for your private registry that is fully managed by GCP. And Kubernetes can pull your private image from there.