Kubernetes and insecure registry

9/11/2018

I am wonder, whether it could work..

We have services FOO and BAR, they are running it the same cluster with Docker Registry. Let's imagine this cluster is for production, not for development

We have CI/CD system which is responsible for building images and pushing them to docker registry.

Docker registry is used only in kubernetes private network, we wont push or pull images outside of cluster, because... Why should i do that?

+-----------------------------------------------+
|                                               |
|                           KUBERNETES          |
|    +-------+                                  |
|    | VCS   |          +----------+            |
|    |       <----------+          |            |
|    |       |          | CI/CD    |            |
|    +-------+  +-------+          |            |
|               |       +----------+            |
|               |                               |
|               |             +-----+           |
|      +--------v-----+ <-----+FOO  |           |
|      | INSECURE     |       +-----+           |
|      | DOCKER       |           +-------+     |
|      | REGISTRY     | <---------+BAR    |     |
|      +--------------+           +-------+     |
+-----------------------------------------------+
                                      ^
                                      |
                                      |
                                      +
                                  USERS

Is it possible to create docker registry with self signed certificate, and setup kubernetes to trust this registry?

Or this is overhead and it's better just use good certificate and go over public network?

Where do you store production ready docker images and where for staging?

-- Alexander Kondaurov
docker-registry
kubernetes

2 Answers

9/12/2018

Where do you store production ready docker images and where for staging?

Generally, the images should be the same for staging and production. There are no reasons to store them separately.

Or this is overhead and it's better just use good certificate and go over public network?

From a usage perspective, there is no big difference between internal PKI certificates or Public services like Verisign, Symantec, etc. The main difference is how secure and reliable the issuing services are.

Is it possible to create docker registry with self signed certificate, and setup kubernetes to trust this registry?

According to Kubernetes documentation:

A Kubernetes cluster uses the Secret of docker-registry type to authenticate with a container registry to pull a private image.

Create this Secret, naming it regcred:

kubectl create secret docker-registry regcred --docker-server=your-registry-server --docker-username=your-name --docker-password=your-pword --docker-email=your-email

where:

  • your-registry-server is your Private Docker Registry FQDN. (https://index.docker.io/v1/ for DockerHub)
  • your-name is your Docker username.
  • your-pword is your Docker password.
  • your-email is your Docker email.

You have successfully set your Docker credentials in the cluster as a Secret called regcred.

To understand the contents of the regcred Secret you just created, start by viewing the Secret in YAML format:

kubectl get secret regcred --output=yaml

To understand what is in the .dockerconfigjson field, convert the secret data to a readable format:

kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Create a Pod that uses your Secret:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: regcred

Helpful articles:

A bit different approach described in the following article. It secures Ingress instead of the registry itself.

-- VAS
Source: StackOverflow

9/12/2018

Well, this looks like a very theoretical question. The only question which is could be answered unequivocally is:

Is it possible to create docker registry with self signed certificate, and setup kubernetes to trust this registry?

Of course, you can deploy your own Docker registry, e.g. Artifactory or something else. You definitely can create self signed certificate an use it, as well as you can use certificate issued by one of the Certificate Authorities. (note that it could be free, via Let's Encrypt, for example) Moving forward, to trust registry or not - it is not Kubernetes' task. It is a runtime's task, e.g. Docker or Rkt. So, if you want to use private registry, you will have to configure runtime's client to work with your registry, no matter secure or not.

Everything else is not so clear-cut as we might think. The only thing i want to say is: practice shows that if You going to do something You have to do it Your way

-- Konstantin Vustin
Source: StackOverflow