Google Cloud Kubernetes访问私有Docker Hub托管映像 [英] Google Cloud Kubernetes accessing private Docker Hub hosted images

问题描述

是否可以将私有映像从Docker Hub拉到Google Cloud Kubernetes集群? 是否建议这样做，还是我也需要将我的私有映像也推送到Google Cloud?

Is it possible, to pull private images from Docker Hub to a Google Cloud Kubernetes cluster? Is this recommended, or do I need to push my private images also to Google Cloud?

我阅读了文档，但是没有发现任何东西可以清楚地解释这一点.似乎有可能，但我不知道是否推荐.

I read the documentation, but I found nothing that could explain me this clearly. It seems that it is possible, but I don´t know if it's recommended.

推荐答案

使用所需的任何注册表都没有限制.如果您仅在pod规范中使用映像名称(例如image:nginx)，则会从公共docker hub注册表中提取该映像，并假定标签为:latest

There is no restriction to use any registry you want. If you just use the image name, (e.g., image: nginx) in pod specification, the image will be pulled from public docker hub registry with tag assumed as :latest

如Kubernetes 文档:

As mentioned in the Kubernetes documentation:

容器的image属性支持与 docker命令可以执行此操作，包括私有注册表和标签.私人的 注册管理机构可能需要密钥才能从中读取图像.

The image property of a container supports the same syntax as the docker command does, including private registries and tags. Private registries may require keys to read images from them.

Kubernetes对 Google容器注册表(GCR)具有本地支持.在Google上运行 计算引擎(GCE).如果您在GCE或Google上运行集群 Kubernetes Engine，只需使用完整的图像名称(例如 gcr.io/my_project/image:tag).集群中的所有Pod均已读取 访问该注册表中的图像.

Kubernetes has native support for the Google Container Registry (GCR), when running on Google Compute Engine (GCE). If you are running your cluster on GCE or Google Kubernetes Engine, simply use the full image name (e.g. gcr.io/my_project/image:tag). All pods in a cluster will have read access to images in this registry.

当节点是AWS EC2实例时，Kubernetes对 AWS EC2容器注册表具有本地支持. 只需使用完整的图片名称(例如 Pod中的ACCOUNT.dkr.ecr.REGION.amazonaws.com/imagename:tag) 定义.集群中所有可以创建Pod的用户都将能够 运行使用ECR注册表中任何图像的Pod.

Kubernetes has native support for the AWS EC2 Container Registry, when nodes are AWS EC2 instances. Simply use the full image name (e.g. ACCOUNT.dkr.ecr.REGION.amazonaws.com/imagename:tag) in the Pod definition. All users of the cluster who can create pods will be able to run pods that use any of the images in the ECR registry.

使用 Azure容器注册表时，您可以使用以下任一方法进行身份验证管理员用户或 服务主体.无论哪种情况，认证都是通过标准方式完成的 Docker身份验证.这些指令假定使用azure-cli命令 线工具.

When using Azure Container Registry you can authenticate using either an admin user or a service principal. In either case, authentication is done via standard Docker authentication. These instructions assume the azure-cli command line tool.

您首先需要创建一个注册表并生成凭据，完成 可以在

You first need to create a registry and generate credentials, complete documentation for this can be found in the Azure container registry documentation.

以下是建议的配置节点以使用专用节点的步骤 注册表.在此示例中，在您的台式机/笔记本电脑上运行它们:

Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:

1. 为要使用的每组凭据运行docker login [服务器].这将更新$HOME/.docker/config.json.
2. 在编辑器中查看$HOME/.docker/config.json以确保它仅包含您要使用的凭据.
3. 获取节点列表，例如:
   • 如果需要名称:nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')
   • 如果要获取IP:nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')

1. Run docker login [server] for each set of credentials you want to use. This updates $HOME/.docker/config.json.
2. View $HOME/.docker/config.json in an editor to ensure it contains just the credentials you want to use.
3. Get a list of your nodes, for example:
   • if you want the names: nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')
   • if you want to get the IPs: nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')

• 例如:for n in $nodes; do scp ~/.docker/config.json root@$n:/root/.docker/config.json; done

• for example: for n in $nodes; do scp ~/.docker/config.json root@$n:/root/.docker/config.json; done

用例:

有许多用于配置私人注册表的解决方案. 这是一些常见的用例和建议的解决方案.

There are a number of solutions for configuring private registries. Here are some common use cases and suggested solutions.

1. 仅运行非专有(例如开源)映像的集群.无需隐藏图像.
   • 在Docker集线器上使用公共映像.
     • 无需配置.
     • 在GCE/Google Kubernetes Engine上，将自动使用本地镜像以提高速度和可用性.

1. Cluster running only non-proprietary (e.g. open-source) images. No need to hide images.
   • Use public images on the Docker hub.
     • No configuration required.
     • On GCE/Google Kubernetes Engine, a local mirror is automatically used for improved speed and availability.

• 使用托管的专用Docker注册表.
  • 它可以托管在Docker Hub或其他地方.
  • 如上所述，在每个节点上手动配置.docker/config.json.
  • Use a hosted private Docker registry.
    • It may be hosted on the Docker Hub, or elsewhere.
    • Manually configure .docker/config.json on each node as described above.
    • 不需要Kubernetes配置.
    • 与手动配置节点相比，它在群集自动扩展方面会更好.
    • 确保AlwaysPullImages准入控制器处于活动状态.否则，所有Pod都可能有权访问所有图像.
    • 将敏感数据移动到秘密"资源中，而不是将其包装在图像中.
    • 确保AlwaysPullImages准入控制器处于活动状态.否则，所有租户的所有Pod都可能有权访问所有 图片.
    • 运行需要授权的私有注册表.
    • 为每个租户生成注册表凭据，将其保密，并为每个租户命名空间填充秘密.
    • 租户将该秘密添加到每个名称空间的imagePullSecrets.
    • Ensure AlwaysPullImages admission controller is active. Otherwise, all Pods of all tenants potentially have access to all images.
    • Run a private registry with authorization required.
    • Generate registry credential for each tenant, put into secret, and populate secret to each tenant namespace.
    • The tenant adds that secret to imagePullSecrets of each namespace.

    考虑阅读从私人注册表文档，如果您决定使用私人注册表.

    Consider reading the Pull an Image from a Private Registry document if you decide to use a private registry.

    这篇关于Google Cloud Kubernetes访问私有Docker Hub托管映像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！