This topic describes how to use GKE on AWS with a private container image repository, such as Container Registry (GCR).
Before you begin
Before you start using GKE on AWS, make sure you have performed the following tasks:
- Complete the Prerequisites.
- Install a management service.
- Create a user cluster.
- From your
anthos-aws
directory, useanthos-gke
to switch context to your user cluster. Replace CLUSTER_NAME with your user cluster name.cd anthos-aws env HTTPS_PROXY=http://localhost:8118 \ anthos-gke aws clusters get-credentials CLUSTER_NAME
- Have a Docker image built and pushed to Container Registry. The examples in
this topic use the
hello-app
container, built with the steps from Deploying a containerized application in the GKE on Google Cloud documentation.
Private Container Registries
A container registry stores and distributes container images. Your GKE on AWS installation can access public images by default.
Check for images on Container Registry
To complete the rest of these steps, you need a container image. Get the name of your container images by performing the following steps:
Configure the Docker command-line tool to authenticate to Container Registry with Google Cloud CLI:
gcloud auth configure-docker
The Google Cloud CLI registers a credential helper for all Google-supported Docker registries.
Confirm that your Container Registry includes an image with
docker images
.docker images
Docker connects to Container Registry and returns the images available in your Container Registry repository. For example, the response below shows a container image named
hello-app
in the project-id repository.REPOSITORY TAG IMAGE ID CREATED SIZE gcr.io/project-id/hello-app v1 732f02cea7cb 12 minutes ago 11.5MB
If you do not have a container image ready, create one by following the steps at Deploying a containerized application.
Create a Service Account
Your user clusters authenticate using an Identity and Access Management (IAM) service account.
To create a new service account, perform the following steps:
Create an IAM service account with the Google Cloud CLI.
gcloud iam service-accounts create account-name
Replace account-name with the name of the new Google Cloud service account.
Grant the service account access to Container Registry.
gcloud projects add-iam-policy-binding project-id \ --member serviceAccount:account-name@project-id.iam.gserviceaccount.com \ --role roles/storage.objectViewer
Replace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
Download the account's service account key.
gcloud iam service-accounts keys create key.json \ --iam-account account-name@project-id.iam.gserviceaccount.com
Replace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
You are now ready to configure your user cluster to connect to Container Registry.
Define a Kubernetes Secret
To provide the key to authenticate to Container Registry, save the service account key as a Kubernetes Secret by performing the following steps:
Use
kubectl
to create the secret.env HTTPS_PROXY=http://localhost:8118 \ kubectl create secret docker-registry gcr-secret \ --docker-server=gcr.io \ --docker-username=_json_key \ --docker-email=account-name@project-id.iam.gserviceaccount.com \ --docker-password="$(cat key.json)"
Replace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
Delete the local copy of your service account key.
rm key.json
You can now reference this secret in your workloads.
Create a workload with a private image
To use an image from a private container repository with a workload, you set
the field spec.imagePullSecrets
to your secret name. This field is in
different locations for Pods and
Deployments.
Creating a Pod
To create a Pod, that can access the container registry, you set the field
spec.imagePullSecrets
to your secret name.
Create a Pod that specifies
spec.imagePullSecrets
.apiVersion: v1 kind: Pod metadata: name: pod-name spec: containers: - name: container-name image: gcr.io/project-id/hello-app:v1 imagePullSecrets: - name: secret-name
Replace the following:
- pod-name with your Pod's name
- container-name with the name of the container inside the Pod
- project-id with your Google Cloud project
- secret-name with the name of your registry secret
For example, to pull the image
hello-app
, copy the following YAML into a file namedhello-pod.yaml
.apiVersion: v1 kind: Pod metadata: name: hello-pod spec: containers: - name: hello-container image: gcr.io/project-id/hello-app:v1 imagePullSecrets: - name: gcr-secret
Apply the configuration to your cluster with
kubectl
.env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f hello-pod.yaml
Confirm the pod is running with
kubectl get
.env HTTPS_PROXY=http://localhost:8118 \ kubectl get pod/hello-pod
The response includes one Pod with a status of
Running
.NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 15s
Creating a Deployment
To use a private repository in a Deployment, you specify the
imagePullSecret
inside the template.For example, to create a Deployment, of the
hello-app
image, create a file namedhello-deployment.yaml
with the following contents:apiVersion: apps/v1 kind: Deployment metadata: name: hello-app-deployment spec: selector: matchLabels: app: products department: sales replicas: 3 template: metadata: labels: app: products department: sales spec: containers: - name: hello image: "gcr.io/project-id/hello-app:v1" env: - name: "PORT" value: "50001" imagePullSecrets: - name: gcr-secret
Apply the configuration to your cluster with
kubectl
.env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f hello-deployment.yaml
Confirm your Deployment is running with
kubectl pods
.env HTTPS_PROXY=http://localhost:8118 \ kubectl get pods --selector=app=products
The output contains three
Running
pods.NAME READY STATUS RESTARTS AGE hello-app-deployment-67d9c6d98c-b69f2 1/1 Running 0 14m hello-app-deployment-67d9c6d98c-d6k5c 1/1 Running 0 14m hello-app-deployment-67d9c6d98c-p2md5 1/1 Running 0 14m
What's next
- Read the Container Registry overview.