Continuing with the theme of running K8S off of AWS, why not register your containers there as well? EC2 Container Registry is a new service from Amazon that enables you to store your containers in the same datacenters that your containers run from.
But, due to how Amazon handles security with ECR, giving K8S the proper authentication to pull your containers is a bit tricky. First off we're going to use the AWS CLI. Running the command:
aws ecr get-login
Gives us the result:
docker login -u AWS -p CiBwm0YaISJ... -e none https://[accountnum].dkr.ecr.us-east-1.amazonaws.com
Which is the command we can use to generate a ~/.docker/config.json that we can then use to push and pull images to/from ECR.
But how do we get this file to our K8S controllers that will be ultimately pull this images? By using
When we are deploying K8S, locally or on CI, we first run:
$ aws ecr get-login | sh - $ cat > /tmp/image-pull-secret.yaml << EOF apiVersion: v1 kind: Secret metadata: name: myregistrykey data: .dockerconfigjson: $(cat ~/.docker/config.json | base64 -w 0) type: kubernetes.io/dockerconfigjson EOF $ kubectl [create/replace] -f /tmp/image-pull-secret.yaml
And then make sure our pod definition includes:
metadata: name: my-pod labels: name: my-pod spec: imagePullSecrets: # <-- Important bit here - name: myregistrykey containers: - image: [accountnum].dkr.ecr.us-east-1.amazonaws.com/my-container:latest name: my-container
Now our K8S nodes will have the permissions to pull the images when deploying our new containers.
Note: The ~/.docker/config.json that is generated from aws ecr get-login only lasts 12 hours. So make sure you run these scripts on every deploy to make sure you still have permission to pull images.
Eric Koslow, cofounder of Lattice, has been writing a series of blog posts (check them out!) on setting up Kubernetes on AWS. At Lattice, Eric creates software to help companies set and manage their goals. -Mackenzie