New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document Private Registry Authentication #499
Comments
If you're using Google Cloud Platform, one possibility is to use the You should then be able to add |
There's an example of a container manifest which uses a private registry https://github.com/GoogleCloudPlatform/kubernetes/blob/master/build/master-manifest.yaml On Wed, Jul 16, 2014 at 10:36 PM, Johan Euphrosine <notifications@github.com
|
in case it wasn't clear, if you use the Google storage private registry, --brendan On Wed, Jul 16, 2014 at 10:52 PM, Brendan Burns bburns@google.com wrote:
|
In general we'd want to support a wide range of authentications for private registries. OAuth is a good first step, but in multi-tenant setups you can't rely on host trust relationships. Also, folks should be able to use api keys from private repos in the DockerHub, and eventually even passwords.
Lots of complexity here in op shops. Kerberos and SSL client certs are the most common complex solutions, but an OAuth trust relationship, properly configured, would be better than most of the others. |
It may be helpful in the short term to fail softly in the event that a pull operation fails due to an auth issue. I can easily run |
This soft failure mode devolves into #504 On Fri, Jul 18, 2014 at 4:19 PM, Brian Waldon notifications@github.com
|
@erictune @derekwaynecarr @pmorie What else needs to be done on this? |
As per our discussion at the face to face, one option would be to deliver a secret type that would convey authorization to pull the image. The kubelet would need to know something about that secret type, and have a way of defending against malicious use of the secret. |
Do we want to do pulls in a user container as a long-term goal?
|
I don't know. It seems to me that the goal of the platform is to abstract image pulling - it's not something a user is concerned with. It should be fast and ideally delivered by an efficient network abstraction. Cgroup constraints on pulls in some cases - sure. Special pullers - maybe. Tim mentioned something last week that has also come up from the network filesystems guys - having a mount already established on disk of images so that you don't even need to download anything. In that model we would need to still check some permissions, and the user container wouldn't play into it too much.
|
+1 to remote mounting of images. That's the only way we're going to get to ~instantaneous container start. Pulls (and builds) that remain will need to be constrained, however. |
+1 also to remote mounting; we'll need to distribute secrets for whatever
|
A bunch of folks are about to start working on this on our end - I don't know who will own the proposal but expect one soon.
|
@smarterclayton Did a proposal come from this issue? |
@liggitt is working on service accounts right now - his plan was to follow that up with being able to pull images with the secrets associated with the service account.
|
Any update on this? |
|
@deads2k any pointers to docs or better explanations? |
@bgrant0607 what else do you want to see in that documentation. |
On second glance, the coverage seems fine, actually. It wasn't clear to me that the bullet list was a table of contents for the succeeding sections. Also, I'd describe imagePullSecrets before either copying .dockercfg to nodes or pre-pulling (that seems like a niche case). And it's not "ImagePullKeys" -- it's "imagePullSecrets". If we add a convenience command for bundling secrets, we should document that there, also. @liggitt |
I think this is done. |
Following the documentation, I have successfully added a
My question, all example of using
|
It works in the RC the same way - just make sure it's in the right place in On Aug 11, 2015, at 7:12 PM, Matt Ma notifications@github.com wrote: Following the documentation, I have successfully added a secret ➜ kubectl get secrets
NAME TYPE DATA My question, all example of using imagePullSecrets is in the POD, how can i apiVersion: v1 — |
@smarterclayton With my setting above, it did not work.
Could you help me what is the right place in If I manually go in the machine, i could use
|
It's possible it also needs to be added to the service account, @deads2k? On Aug 11, 2015, at 8:02 PM, Matt Ma notifications@github.com wrote: @smarterclayton https://github.com/smarterclayton With my setting above, ➜ kubectl get po
NAME READY STATUS Could you help me what is the right place in rc? — |
|
@mattma I think it is possible that the pod template and RC aren't being created the way you think they are. Would you please follow the steps in https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/user-guide/application-troubleshooting.md#my-pod-is-running-but-not-doing-what-i-told-it-to-do and see if that fixes it? If that still doesn't help, please post the exact RC yaml or json that you are trying to create (anonymize if necessary). |
@erictune Thank you for the tips. I will give it a try. |
My |
@mattma adding a service account won't fix the problem, because you already have the Two things that might be going on: You might be using the new dockercfg format, which we don't support yet. See this issue for details: #12626
and make sure that file matches what you are expecting. |
I don't think #12626 applies in this case since the secret wasn't found at all. We don't attempt to parse until the keyring is created. |
For reference, I would expect an unmarshalling failure due to the new dockercfg format would fail here: https://github.com/kubernetes/kubernetes/blob/master/pkg/credentialprovider/keyring.go#L282, but the not found comes from here: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kubelet.go#L1290 |
I tear down the whole kubernetes cluster, and rebuild it, regenerate the new base64 token from What possible went wrong? I was using the |
How is it working for you? no matter which approach I try, it fails to pull from my private repo
my setup (aws ec2 + coreos alpha-v774.0.0):secret.yaml:
dbRC.yaml:
kubectl version
|
Can you confirm that your base64 secret matches correctly using the command referenced here: #499 (comment) ? The imagePullSecret is loaded into a keyring that matches based on the URL of your pull spec, so that needs to match correctly as well. |
apparently it was a base64 issue. thanks for the lead @deads2k.
|
I asked a StackOverflow question with largely the same problem as @drora -- cross-referencing here because I used this thread to troubleshoot. |
got this working when:
-> base64 encode and make sure it is still one line when listin as entry for .dockercfg |
@streamnsight thank you! I was going nuts with this util I saw your directions :) |
@streamnsight Thanks a lot! Your solution saves my day! |
Thank you @streamnsight. I think I had to remove all spaces from it as well. |
I pushed this PR #17286 for the documentation over a month ago but it's still has not made it into the repo. |
How do we set up kubernetes to works with private registries?
Currently we can put a remote registry into the image tag for the pod but there appears to be nowhere to enter the login details if these images are private.
Ideally I guess we should be able to set these in the global config script, as the login details for a single registry would be the same for each pod, rather than repeating them in each pod's spec.
The text was updated successfully, but these errors were encountered: