How to access gcloud private repository on on-premise kubernetes cluster?

5/3/2018

We are having kubernetes cluster which is running on-premise & we having GCR private repository. So how we can access that private repository to my on-premise kubernetes cluster, As I know we can do using gcloud-sdk but it won't be possible to install gcloud-sdk on every node of kubernetes cluster.

-- Sachin Arote
google-container-registry
kubelet
kubernetes

2 Answers

5/9/2018

We used to deploy pods on azure AKS cluster and images used to be from GCR. these are the steps we follow.

  1. Create a service account in gcloud with permissions to gcr.
  2. Create keys for the service account.
  3. Add kubectl secret.
  4. Use secret in yaml

gcloud iam service-accounts keys create gcr-docker-cred.json --iam-account=service-account-name@project-id.iam.gserviceaccount.com

Add kubectl secret.

kubectl create secret docker-registry gcriosecret --docker-server=https://gcr.io --docker-username=_json_key --docker-email=user@example.com --docker-password="$(cat gcr-docker-cred.json)"

Use secret in yaml

imagePullSecrets: - name: gcriosecret

this blog might be a good help

-- sudhi
Source: StackOverflow

5/7/2018

Kubernetes clusters running on GKE or GCE have native support for accessing the container registry and need no further configuration.

As you mentioned that you are running an on premises cluster you are not running any of these and only use the container registry from GCP, so, while I haven't had the chance to test this (I don't have a cluster outside Google Cloud) the process shouldn't be different than the process for pulling an image from a private registry.

In your case you can create a secret with the auth credentials for the gcr.io registry like this:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

your-registry-server in this case will probably be https://gcr.io/[your-project-id]

When you have created the secret named regcred you can configure pods to use it for pulling the desired image from the registry adding an imagePullSecrets like this :

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: [The image you want to pull]
  imagePullSecrets:
  - name: regcred

Then you can test if the image is correctly pulled by deploying this pod:

kubectl create -f [your pod yaml]

Waiting for the pod to be created and then describing the pod with kubectl describe pod private-reg and seeing an event sequence similar to:

Events:
  Type    Reason                 Age   From                                                Message
  ----    ------                 ----  ----                                                -------
  Normal  Scheduled              4m    default-scheduler                                   Successfully assigned private-reg to gke-cluster-22-default-pool-e7830b6c-pxmt
  Normal  Pulling                4m    kubelet, gke-cluster-22-default-pool-e7830b6c-pxmt  pulling image "gcr.io/XXX/XXX:latest"
  Normal  Pulled                 3m    kubelet, gke-cluster-22-default-pool-e7830b6c-pxmt  Successfully pulled image ""gcr.io/XXX/XXX:latest"
  Normal  Created                3m    kubelet, gke-cluster-22-default-pool-e7830b6c-pxmt  Created container
  Normal  Started                3m    kubelet, gke-cluster-22-default-pool-e7830b6c-pxmt  Started container
-- Jordi Miralles
Source: StackOverflow