This topic describes how to use GKE on AWS with a private container image repository, such as Container Registry (GCR).
Before you begin
Before you start using GKE on AWS, make sure you have performed the following tasks:
- Complete the Prerequisites.
- Install a management service.
- Create a user cluster.
- From your
anthos-awsdirectory, useanthos-gketo switch context to your user cluster.cd anthos-aws env HTTPS_PROXY=http://localhost:8118 \ anthos-gke aws clusters get-credentials CLUSTER_NAME
- Have a Docker image built and pushed to Container Registry. The examples in
this topic use the
hello-appcontainer, built with the steps from Deploying a containerized application in the GKE on Google Cloud documentation.
Private Container Registries
A container registry stores and distributes container images. Your GKE on AWS installation can access public images by default.
Check for images on Container Registry
To complete the rest of these steps, you need a container image. Get the name of your container images by performing the following steps:
Configure the Docker command-line tool to authenticate to Container Registry with Google Cloud CLI:
gcloud auth configure-dockerThe Google Cloud CLI registers a credential helper for all Google-supported Docker registries.
Confirm that your Container Registry includes an image with
docker images.docker imagesDocker connects to Container Registry and returns the images available in your Container Registry repository. For example, the response below shows a container image named
hello-appin the project-id repository.REPOSITORY TAG IMAGE ID CREATED SIZE gcr.io/project-id/hello-app v1 732f02cea7cb 12 minutes ago 11.5MB
If you do not have a container image ready, create one by following the steps at Deploying a containerized application.
Create a Service Account
Your user clusters authenticate using an Identity and Access Management (IAM) service account.
To create a new service account, perform the following steps:
Create an IAM service account with the Google Cloud CLI.
gcloud iam service-accounts create account-nameReplace account-name with the name of the new Google Cloud service account.
Grant the service account access to Container Registry.
gcloud projects add-iam-policy-binding project-id \ --member serviceAccount:account-name@project-id.iam.gserviceaccount.com \ --role roles/storage.objectViewerReplace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
Download the account's service account key.
gcloud iam service-accounts keys create key.json \ --iam-account account-name@project-id.iam.gserviceaccount.comReplace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
You are now ready to configure your user cluster to connect to Container Registry.
Define a Kubernetes Secret
To provide the key to authenticate to Container Registry, save the service account key as a Kubernetes Secret by performing the following steps:
Use
kubectlto create the secret.env HTTPS_PROXY=http://localhost:8118 \ kubectl create secret docker-registry gcr-secret \ --docker-server=gcr.io \ --docker-username=_json_key \ --docker-email=account-name@project-id.iam.gserviceaccount.com \ --docker-password="$(cat key.json)"Replace the following:
- project-id with your Google Cloud project
- account-name with your Google Cloud service account name
Delete the local copy of your service account key.
rm key.json
You can now reference this secret in your workloads.
Create a workload with a private image
To use an image from a private container repository with a workload, you set
the field spec.imagePullSecrets to your secret name. This field is in
different locations for Pods and
Deployments.
Creating a Pod
To create a Pod, that can access the container registry, you set the field
spec.imagePullSecrets to your secret name.
Create a Pod that specifies
spec.imagePullSecrets.apiVersion: v1 kind: Pod metadata: name: pod-name spec: containers: - name: container-name image: gcr.io/project-id/hello-app:v1 imagePullSecrets: - name: secret-nameReplace the following:
- pod-name with your Pod's name
- container-name with the name of the container inside the Pod
- project-id with your Google Cloud project
- secret-name with the name of your registry secret
For example, to pull the image
hello-app, copy the following YAML into a file namedhello-pod.yaml.apiVersion: v1 kind: Pod metadata: name: hello-pod spec: containers: - name: hello-container image: gcr.io/project-id/hello-app:v1 imagePullSecrets: - name: gcr-secretApply the configuration to your cluster with
kubectl.env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f hello-pod.yamlConfirm the pod is running with
kubectl get.env HTTPS_PROXY=http://localhost:8118 \ kubectl get pod/hello-podThe response includes one Pod with a status of
Running.NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 15sCreating a Deployment
To use a private repository in a Deployment, you specify the
imagePullSecretinside the template.For example, to create a Deployment, of the
hello-appimage, create a file namedhello-deployment.yamlwith the following contents:apiVersion: apps/v1 kind: Deployment metadata: name: hello-app-deployment spec: selector: matchLabels: app: products department: sales replicas: 3 template: metadata: labels: app: products department: sales spec: containers: - name: hello image: "gcr.io/project-id/hello-app:v1" env: - name: "PORT" value: "50001" imagePullSecrets: - name: gcr-secretApply the configuration to your cluster with
kubectl.env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f hello-deployment.yamlConfirm your Deployment is running with
kubectl pods.env HTTPS_PROXY=http://localhost:8118 \ kubectl get pods --selector=app=productsThe output contains three
Runningpods.NAME READY STATUS RESTARTS AGE hello-app-deployment-67d9c6d98c-b69f2 1/1 Running 0 14m hello-app-deployment-67d9c6d98c-d6k5c 1/1 Running 0 14m hello-app-deployment-67d9c6d98c-p2md5 1/1 Running 0 14m
What's next
- Read the Container Registry overview.