Google Cloud Kubernetes 访问私有 Docker Hub 托管图像
Google Cloud Kubernetes accessing private Docker Hub hosted images
是否可以将私有镜像从 Docker Hub 拉到 Google Cloud Kubernetes 集群?
这是推荐的,还是我需要将我的私有图像也推送到 Google 云端?
我阅读了文档,但没有找到任何可以清楚地解释我的内容。好像可以,不知道有没有推荐的。
没有限制使用任何你想要的注册表。如果您只是在 pod 规范中使用图像名称(例如图像:nginx),图像将从 public docker hub registry 中提取,标签假定为 :latest
如Kubernetes中所述documentation:
The image property of a container supports the same syntax as the
docker command does, including private registries and tags. Private
registries may require keys to read images from them.
Using Google Container Registry
Kubernetes has native support for the Google Container Registry (GCR), when running on Google
Compute Engine (GCE). If you are running your cluster on GCE or Google
Kubernetes Engine, simply use the full image name (e.g.
gcr.io/my_project/image:tag). All pods in a cluster will have read
access to images in this registry.
Using AWS EC2 Container Registry
Kubernetes has native support for the AWS EC2 Container Registry, when nodes are AWS EC2 instances.
Simply use the full image name (e.g.
ACCOUNT.dkr.ecr.REGION.amazonaws.com/imagename:tag) in the Pod
definition. All users of the cluster who can create pods will be able
to run pods that use any of the images in the ECR registry.
Using Azure Container Registry (ACR)
When using Azure Container Registry you can authenticate using either an admin user or a
service principal. In either case, authentication is done via standard
Docker authentication. These instructions assume the azure-cli command
line tool.
You first need to create a registry and generate credentials, complete
documentation for this can be found in the Azure container registry
documentation.
Configuring Nodes to Authenticate to a Private Repository
Here are the recommended steps to configuring your nodes to use a private
registry. In this example, run these on your desktop/laptop:
- Run docker login [server] for each set of credentials you want to use. This updates
$HOME/.docker/config.json.
- View
$HOME/.docker/config.json in an editor to ensure it contains just the credentials you want to use.
- Get a list of your nodes, for example:
- if you want the names:
nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')
- if you want to get the IPs:
nodes=$(kubectl get nodes -o jsonpath='{range
.items[*].status.addresses[?(@.type=="ExternalIP")]}{.address}
{end}')
- Copy your local .docker/config.json to the home directory of root on each node.
- for example:
for n in $nodes; do scp ~/.docker/config.json root@$n:/root/.docker/config.json; done
用例:
There are a number of solutions for configuring private registries.
Here are some common use cases and suggested solutions.
- Cluster running only non-proprietary (e.g. open-source) images. No need to hide images.
- Use public images on the Docker hub.
- No configuration required.
- On GCE/Google Kubernetes Engine, a local mirror is automatically used for improved speed and availability.
- Cluster running some proprietary images which should be hidden to those outside the company, but visible to all cluster users.
- Use a hosted private Docker registry.
- It may be hosted on the Docker Hub, or elsewhere.
- Manually configure
.docker/config.json on each node as described above.
- Or, run an internal private registry behind your firewall with open read access.
- No Kubernetes configuration is required.
- Or, when on GCE/Google Kubernetes Engine, use the project’s Google Container Registry.
- It will work better with cluster autoscaling than manual node configuration.
- Or, on a cluster where changing the node configuration is inconvenient, use imagePullSecrets.
- Cluster with a proprietary images, a few of which require stricter access control.
- Ensure AlwaysPullImages admission controller is active. Otherwise, all Pods potentially have access to all images.
- Move sensitive data into a “Secret” resource, instead of packaging it in an image.
- A multi-tenant cluster where each tenant needs own private registry.
- Ensure
AlwaysPullImages admission controller is active. Otherwise, all Pods of all tenants potentially have access to all
images.
- Run a private registry with authorization required.
- Generate registry credential for each tenant, put into secret, and populate secret to each tenant namespace.
- The tenant adds that secret to
imagePullSecrets of each namespace.
如果您决定使用私有注册表,请考虑阅读 Pull an Image from a Private Registry 文档。
有 3 种类型的注册表:
- Public(Docker Hub,Docker Cloud,Quay 等)
- 私人:这将是您本地网络上的注册表 运行。一个例子是 运行 带有注册表映像的 docker 容器。
- 受限:这是一个需要一些凭据来验证的注册表。 Google 以容器注册表 (GCR) 为例。
正如您所说,在 public 注册表中,例如 Docker Hub,您可以拥有私有图像。
私有和受限注册表显然更安全,因为其中一个甚至不暴露在互联网上(理想情况下),而另一个需要凭据。
我想您可以使用它们中的任何一个达到可接受的安全级别。所以,这是选择的问题。如果您觉得您的应用程序很关键,并且不想 运行 承担任何风险,您应该将其放在 GCR 或私有注册表中。
如果您觉得它很重要,但不是关键,您可以将它放在任何 public 存储库中,并将其设为私有。这将提供一层安全保障。
是否可以将私有镜像从 Docker Hub 拉到 Google Cloud Kubernetes 集群? 这是推荐的,还是我需要将我的私有图像也推送到 Google 云端?
我阅读了文档,但没有找到任何可以清楚地解释我的内容。好像可以,不知道有没有推荐的。
没有限制使用任何你想要的注册表。如果您只是在 pod 规范中使用图像名称(例如图像:nginx),图像将从 public docker hub registry 中提取,标签假定为 :latest
如Kubernetes中所述documentation:
The image property of a container supports the same syntax as the docker command does, including private registries and tags. Private registries may require keys to read images from them.
Using Google Container Registry
Kubernetes has native support for the Google Container Registry (GCR), when running on Google Compute Engine (GCE). If you are running your cluster on GCE or Google Kubernetes Engine, simply use the full image name (e.g. gcr.io/my_project/image:tag). All pods in a cluster will have read access to images in this registry.
Using AWS EC2 Container Registry
Kubernetes has native support for the AWS EC2 Container Registry, when nodes are AWS EC2 instances. Simply use the full image name (e.g. ACCOUNT.dkr.ecr.REGION.amazonaws.com/imagename:tag) in the Pod definition. All users of the cluster who can create pods will be able to run pods that use any of the images in the ECR registry.
Using Azure Container Registry (ACR)
When using Azure Container Registry you can authenticate using either an admin user or a service principal. In either case, authentication is done via standard Docker authentication. These instructions assume the azure-cli command line tool.
You first need to create a registry and generate credentials, complete documentation for this can be found in the Azure container registry documentation.
Configuring Nodes to Authenticate to a Private Repository
Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:
- Run docker login [server] for each set of credentials you want to use. This updates
$HOME/.docker/config.json.- View
$HOME/.docker/config.jsonin an editor to ensure it contains just the credentials you want to use.- Get a list of your nodes, for example:
- if you want the names:
nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')- if you want to get the IPs:
nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')- Copy your local .docker/config.json to the home directory of root on each node.
- for example:
for n in $nodes; do scp ~/.docker/config.json root@$n:/root/.docker/config.json; done
用例:
There are a number of solutions for configuring private registries. Here are some common use cases and suggested solutions.
- Cluster running only non-proprietary (e.g. open-source) images. No need to hide images.
- Use public images on the Docker hub.
- No configuration required.
- On GCE/Google Kubernetes Engine, a local mirror is automatically used for improved speed and availability.
- Cluster running some proprietary images which should be hidden to those outside the company, but visible to all cluster users.
- Use a hosted private Docker registry.
- It may be hosted on the Docker Hub, or elsewhere.
- Manually configure
.docker/config.jsonon each node as described above.- Or, run an internal private registry behind your firewall with open read access.
- No Kubernetes configuration is required.
- Or, when on GCE/Google Kubernetes Engine, use the project’s Google Container Registry.
- It will work better with cluster autoscaling than manual node configuration.
- Or, on a cluster where changing the node configuration is inconvenient, use imagePullSecrets.
- Cluster with a proprietary images, a few of which require stricter access control.
- Ensure AlwaysPullImages admission controller is active. Otherwise, all Pods potentially have access to all images.
- Move sensitive data into a “Secret” resource, instead of packaging it in an image.
- A multi-tenant cluster where each tenant needs own private registry.
- Ensure
AlwaysPullImagesadmission controller is active. Otherwise, all Pods of all tenants potentially have access to all images.- Run a private registry with authorization required.
- Generate registry credential for each tenant, put into secret, and populate secret to each tenant namespace.
- The tenant adds that secret to
imagePullSecretsof each namespace.
如果您决定使用私有注册表,请考虑阅读 Pull an Image from a Private Registry 文档。
有 3 种类型的注册表:
- Public(Docker Hub,Docker Cloud,Quay 等)
- 私人:这将是您本地网络上的注册表 运行。一个例子是 运行 带有注册表映像的 docker 容器。
- 受限:这是一个需要一些凭据来验证的注册表。 Google 以容器注册表 (GCR) 为例。
正如您所说,在 public 注册表中,例如 Docker Hub,您可以拥有私有图像。
私有和受限注册表显然更安全,因为其中一个甚至不暴露在互联网上(理想情况下),而另一个需要凭据。
我想您可以使用它们中的任何一个达到可接受的安全级别。所以,这是选择的问题。如果您觉得您的应用程序很关键,并且不想 运行 承担任何风险,您应该将其放在 GCR 或私有注册表中。
如果您觉得它很重要,但不是关键,您可以将它放在任何 public 存储库中,并将其设为私有。这将提供一层安全保障。