Overview

Container registries can be secured to prevent unauthorized entities from accessing images.

Kubernetes provides a feature called imagePullSecrets that allows pods to pull private docker images. To connect to container registry, you have to add an ImagePullSecrets field to the configuration for a Kubernetes service account.

This is a type of Kubernetes secret that contains credential information. An imagePullSecrets is an authorization token, also known as a secret, that stores credentials for accessing a container registry.

Challenges¶

It is operationally cumbersome to MANUALLY provision and manage Image Pull Secrets on a fleet of Kubernetes clusters
It is an INSECURE practice to manually handle secrets
It is BAD HYGIENE to have unused, dangling imagePullSecrets on clusters where the workload is no longer operational.

Our Solution¶

We have invested in developing deep integrations with Container Registry providers such as DockerHub (public, private), Amazon ECR, Google GCR, JFrog, Nexus etc.

Project Admins can securely create, store and manage imagePullSecrets for their private container registry repos.
Developers can use these as "references/pointers" in their workloads
The Controller will securely deliver and automatically provision/deprovision the imagePullSecrets on the clusters where the workloads need to be deployed.

Benefits¶

No manual handling of imagePullSecrets by developers or operations
No need to embed imagePullSecrets in Kubernetes yaml files
Secure (encrypted) delivery of imagePullSecrets to managed clusters
Automated provisioning and deprovisioning of imagePullSecrets on clusters where workloads are deployed
No dangling or orphaned imagePullSecrets on clusters
Can rotate/refresh imagePullSecrets centrally and have it transparently apply on all managed clusters

Tested Integrations¶

Any Docker Compatible Registry should work. In addition, we test compatibility with the following providers with every release.

System (Integrated Registry)
Docker Hub (Public)
Docker Hub (Private)
AWS ECR
Azure ACR
GCP GCR
Quay by RedHat
Nexus by Sonatype
JFrog Artifactory
Microsoft MCR

Amazon ECR¶

Amazon's Elastic Container Registry is a fully-managed Docker container registry that allows developers to store, manage, and deploy Docker container images. Amazon ECR hosts container images in a highly available and scalable architecture.

Access to Amazon ECR requires client authentication. Successful authentication to an ECR registry provides an authorization token that is valid ONLY for 12 hours. Requiring authenticating every 12 hours ensures appropriate token rotation to protect against misuse.

Customer Challenge¶

Users that use Amazon ECR as their container registry but wish to pull container images on "Non Amazon" Kubernetes infrastructure will have to deal with constantly expiring authorization tokens

The ECR Credential Helper¶

We have developed a Kubernetes CRD that will ensure that ECR authentication tokens are AUTOMATICALLY refreshed before they expire. This ensures that applications operating on non Amazon Kubernetes infrastructure can seamlessly access container images from Amazon ECR on an ongoing basis.

Manage Registry Integration¶

Project Admins can configure Registries in the Web Console

Under Integrations, Select Registry
Create Registry
Select Registry type

Enter access credentials

The credentials are encrypted before they are stored. See Security section for additional details on Key Management.

Registry Creation Success¶

On successful registry creation, user can view the list in the Container Registries page and perform a few actions if required

Display Annotation icon to view the annotation attached to this container registry. Use the copy icon to use the annotation for deploying a workload.
Validate icon to check the registry valid/invalid status
Edit icon to make any changed to the existing registries
Delete icon to remove the unnecessary registries from the system

Use Registry Integration¶

Once a registry integration has been created by a Project Admin, it can be referenced and used in workloads operating in the Project.

Workload Wizard¶

For the wizard based workloads,

Select the registry integration from the dropdown
Enter the repository and tag

During deployment of the workload, the controller will automatically provision the imagePullSecrets to the targeted clusters.

Annotations for Yaml or Helm¶

For Kubernetes YAML and Helm based workloads, we provide "annotations" that can be quickly added to an existing k8s yaml or Helm values.yaml Annotation that has to be specified in the yaml file can be retrieved as below.

Under Integrations, Select Registries
Select the Registry that you have configured previously
Under Actions, Select Display Annotation to copy the annotation.

  annotations:
    rafay.dev/registry-key1:value1
    rafay.dev/registry-key2:value2

The reason for different keys is to ensure support for situations with pod specs with multiple containers where the registries from which images needs to be pulled are different.

As a result, the registry annotations need to contain references for multiple registry instances.

Here is an example of a k8s Deployment YAML that will pull the images from Amazon ECR.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: km-nginx2
  annotations:
   rafay.dev/registry-ecr: km-ecr
spec:
  selector:
    matchLabels:
      app: km-nginx2
  replicas: 1
  template:
    metadata:
      labels:
        app: km-nginx2
    spec:
      containers:
      - name: km-nginx2
        image: 679196758854.dkr.ecr.us-east-1.amazonaws.com/km-nginx:1.17
        ports:
        - containerPort: 80

System Registry¶

An integrated system container registry is available for non-production use (e.g. testing, demos etc.). This registry is based on Docker Registry v2 and also hosts community template container images.

Follow the instructions on how to authenticate and use the system registry.