Container registries can be secured to prevent unauthorized entities from accessing images.
Kubernetes provides a feature called imagePullSecrets that allows pods to pull private docker images. To connect to container registry, you have to add an ImagePullSecrets field to the configuration for a Kubernetes service account.
This is a type of Kubernetes secret that contains credential information. An imagePullSecrets is an authorization token, also known as a secret, that stores credentials for accessing a container registry.
We have invested in developing deep integrations with Container Registry providers such as DockerHub (public, private), Amazon ECR, Google GCR, JFrog, Nexus etc.
Project Admins can securely create, store and manage imagePullSecrets for their private container registry repos.
Developers can use these as "references/pointers" in their workloads
The Controller will securely deliver and automatically provision/deprovision the imagePullSecrets on the clusters where the workloads need to be deployed.
Amazon's Elastic Container Registry is a fully-managed Docker container registry that allows developers to store, manage, and deploy Docker container images. Amazon ECR hosts container images in a highly available and scalable architecture.
Access to Amazon ECR requires client authentication. Successful authentication to an ECR registry provides an authorization token that is valid ONLY for 12 hours. Requiring authenticating every 12 hours ensures appropriate token rotation to protect against misuse.
Users that use Amazon ECR as their container registry but wish to pull container images on "Non Amazon" Kubernetes infrastructure will have to deal with constantly expiring authorization tokens
We have developed a Kubernetes CRD that will ensure that ECR authentication tokens are AUTOMATICALLY refreshed before they expire. This ensures that applications operating on non Amazon Kubernetes infrastructure can seamlessly access container images from Amazon ECR on an ongoing basis.
For Kubernetes YAML and Helm based workloads, we provide "annotations" that can be quickly added to an existing k8s yaml or Helm values.yaml
Annotation that has to be specified in the yaml file can be retrieved as below.
Under Integrations, Select Registries
Select the Registry that you have configured previously
Under Actions, Select Display Annotation to copy the annotation.
The reason for different keys is to ensure support for situations with pod specs with multiple containers where the registries from which images needs to be pulled are different.
As a result, the registry annotations need to contain references for multiple registry instances.
Here is an example of a k8s Deployment YAML that will pull the images from Amazon ECR.
An integrated system container registry is available for non-production use (e.g. testing, demos etc.). This registry is based on Docker Registry v2 and also hosts community template container images.
Follow the instructions on how to authenticate and use the system registry.