Most organizations store proprietary Docker images in private registries. While it is easy to deploy public Docker images to Kubernetes, there are some additional steps involved when you're dealing with private images. This tutorial shows you how to configure a Kubernetes cluster to access those private images.
This tutorial explains how to create a kubeconfig file to authenticate to a self-hosted Kubernetes cluster. If you use a hosted solution like GKE or AKS, you get the benefit of the cloud provider's Auth system. If it is self-hosted, then you'll have to take the DIY approach. This guide helps you to create a service account on Kubernetes and create a kubeconfig file that can be used by kubectl to interact with the cluster.
Kubernetes is an open-source orchestration engine for automating deployment, scaling, and management of containerized applications at scale. When your requires a large number of containers, you need a tool to group containers into logical units, and to track, manage and monitor them all. Kubernetes helps you do that and is considered the de facto tool for container management.
The Kubernetes project is part of the Cloud Native Computing Foundation (CNCF) and has over 1500 contributors. It was started at Google, which still leads development efforts.
Docker adoption is still growing exponentially and more and more companies have started using it in Production. It is important to use an orchestration platform to scale and manage your containers. Imagine a situation where you have been using Docker for a little while, and have deployed on a few different servers. Your application starts getting massive traffic, and you need to scale up fast, how will you go from 3 servers to 40 servers that you may require? And how will you decide which container should go where? How would you monitor all these containers and make sure they are restarted if they exit? This is where Kubernetes comes in.
Docker images that comprise a production application are often deployed to private repositories in Docker registries. Kubernetes provides a feature called imagePullSecrets that allows pods to pull private docker images. In this blog, we demonstrate how you can easily hookup imagePullSecrets to your pod using Shippable.
Creating an imagePullSecrets secret
imagePullSecrets is a type of a Kubernete Secret whose sole purpose is to pull private images from a Docker registry. It allows you to specify the Url of the docker registry, credentials for logging in and the image name of your private docker image.
There are two ways an imagePullSecrets can be created.
1. kubectl create secret docker-registry command. We use this approach in our blog.
ambarishs-MacBook-Pro:gke ambarish$ kubectl create secret docker-registry private-registry-key --docker-username="devopsrecipes" --docker-password="xxxxxx" --docker-email="email@example.com" --docker-server="https://index.docker.io/v1/"
secret "private-registry-key" created
2. Creating the secret via a yml.
In this approach, a config.json file is created for the private registry. Its contents are then base64 encoded and specified in the .dockerconfigjson property.
apiVersion: v1 kind: Secret metadata: name: private-registry-key namespace: default data: .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg== type: kubernetes.io/dockerconfigjson
Applications deployed to a Kubernetes cluster often need access to sensitive information such as credentials to access a database and authentication tokens to make authenticated API calls to services. Kubernetes allows you to specify such sensitive information cleanly in an object called a Secret. This avoids putting sensitive data in a Pod defintion or a docker image. In this blog, we demonstrate how you can easily hookup Kubernetes Secrets to your pod using Shippable.
Creating a Kubernetes Secret
Secrets are defined in a yml file in a Secret object. A Secret object can specifiy multiple secrets in name-value pairs. Each secret has to be base64 encoded before specifying it in the yml.
Let's define an API token as a secret for a fake token xxx-xxx-xxx.
1. Base 64 encode the token.
ambarishs-MacBook-Pro:sources ambarish$ echo -n "xxx-xxx-xxx" | base64
2. Create the secrets yml called create-secret.yml.
apiVersion: v1 kind: Secret metadata: name: auth-token-secret type: Opaque data: AUTH_TOKEN_VALUE: eHh4LXh4eC14eHg=
3. Create the secret in the kubernetes cluster using kubectl.
$ kubectl create -f secrets.yml secret "auth-token" created