A new version of GKE on AWS was released on October 2. See the release notes for more information.

Using a private image registry

This topic describes how to use GKE on AWS with a private container image repository, such as Container Registry (GCR).

Before you begin

Before you start using GKE on AWS, make sure you have performed the following tasks:

  • Install a management service.
  • Create a user cluster.
  • From your anthos-aws directory, use anthos-gke to switch context to your user cluster.
    cd anthos-aws
    env HTTP_PROXY=http://localhost:8118 \
    anthos-gke aws clusters get-credentials CLUSTER_NAME
  • Have a Docker image built and pushed to Container Registry. The examples in this topic use the hello-app container, built with the steps from Deploying a containerized application in the GKE on Google Cloud documentation.

Private Container Registries

A container registry stores and distributes container images. Your GKE on AWS installation can access public images by default.

Check for images on Container Registry

To complete the rest of these steps, you need a container image. Get the name of your container images by performing the following steps:

  1. Configure the Docker command-line tool to authenticate to Container Registry (you need to run this only once):

    gcloud auth configure-docker
    
  2. Confirm that your Container Registry includes an image with docker images.

    docker images
    

    Docker connects to Container Registry and returns the images available in your Container Registry repository. For example, the response below shows a container image named hello-app in the project-id repository.

    REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
    gcr.io/project-id/hello-app   v1                  732f02cea7cb        12 minutes ago      11.5MB
    

If you do not have a container image ready, create one by following the steps at Deploying a containerized application.

Create a Service Account

Your GKE on AWS cluster authenticates using an Identity and Access Management (IAM) service account. Let's create a new service account and generate a JSON key file.

  1. Create an IAM service account with the gcloud command-line tool.

    gcloud iam service-accounts create account-name
    

    Replace account-name with the name of the new Google Cloud service account.

  2. Grant the service account access to Container Registry.

    gcloud projects add-iam-policy-binding project-id \
      --member serviceAccount:account-name@project-id.iam.gserviceaccount.com \
      --role roles/storage.objectViewer
    

    Replace the following:

    • project-id with your Google Cloud project
    • account-name with your Google Cloud service account name
  3. Download the account's service account key.

    gcloud iam service-accounts keys create key.json \
      --iam-account account-name@project-id.iam.gserviceaccount.com
    

    Replace the following:

    • project-id with your Google Cloud project
    • account-name with your Google Cloud service account name

You are now ready to configure your GKE on AWS cluster to connect to Container Registry.

Define a Kubernetes Secret

To provide the key to authenticate to GKE on AWS on Container Registry, save the service account key as a Kubernetes Secret.

  1. Use kubectl to create the secret.

    env HTTP_PROXY=http://localhost:8118 \
    kubectl create secret docker-registry gcr-secret \
            --docker-server=gcr.io \
            --docker-username=_json_key \
            --docker-email=account-name@project-id.iam.gserviceaccount.com \
            --docker-password="$(cat key.json)"
    

    Replace the following:

    • project-id with your Google Cloud project
    • account-name with your Google Cloud service account name
  2. Delete the local copy of your service account key.

    rm key.json
    

You can now reference this secret in your workloads.

Create a workload with a private image

To use the image with a workload on GKE on AWS, you set the field spec.imagePullSecrets to your secret name.

Creating a Pod

To create a Pod, that can access the container registry, you set the field spec.imagePullSecrets to your secret name.

  1. Create a Pod that specifies spec.imagePullSecrets.

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-name
    spec:
      containers:
      - name: container-name
        image: gcr.io/project-id/hello-app:v1
      imagePullSecrets:
      - name: secret-name
    

    Replace the following:

    • pod-name with your Pod's name
    • container-name with the name of the container inside the Pod
    • project-id with your Google Cloud project
    • secret-name with the name of your registry secret

    For example, to pull the image hello-app, copy the following YAML into a file named hello-pod.yaml.

    apiVersion: v1
    kind: Pod
    metadata:
      name: hello-pod
    spec:
      containers:
      - name: hello-container
        image: gcr.io/project-id/hello-app:v1
      imagePullSecrets:
      - name: gcr-secret
    
  2. Apply the configuration to your cluster with kubectl.

    env HTTP_PROXY=http://localhost:8118 \
    kubectl apply -f hello-pod.yaml
    
  3. Confirm the pod is running with kubectl get.

    env HTTP_PROXY=http://localhost:8118 \
    kubectl get pod/hello-pod
    

    The response includes one Pod with a status of Running.

    NAME        READY   STATUS    RESTARTS   AGE
    hello-pod   1/1     Running   0          15s
    

    Creating a Deployment

  4. To use a private repository in a Deployment, you specify the imagePullSecret inside the template.

    For example, to create a Deployment, of the hello-app image, create a file named hello-deployment.yaml with the following contents:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: hello-app-deployment
    spec:
      selector:
        matchLabels:
          app: products
          department: sales
      replicas: 3
      template:
        metadata:
          labels:
            app: products
            department: sales
        spec:
          containers:
          - name: hello
            image: "gcr.io/project-id/hello-app:v1"
            env:
            - name: "PORT"
              value: "50001"
          imagePullSecrets:
          - name: gcr-secret
    
  5. Apply the configuration to your cluster with kubectl.

    kubectl apply -f hello-deployment.yaml
    
  6. Confirm your Deployment is running with kubectl pods.

    env HTTP_PROXY=http://localhost:8118 \
    kubectl get pods --selector=app=products
    

    The output contains three Running pods.

    NAME                                    READY   STATUS    RESTARTS   AGE
    hello-app-deployment-67d9c6d98c-b69f2   1/1     Running   0          14m
    hello-app-deployment-67d9c6d98c-d6k5c   1/1     Running   0          14m
    hello-app-deployment-67d9c6d98c-p2md5   1/1     Running   0          14m
    

What's next