Continuing with the theme of running K8S off of AWS, why not register your containers there as well? EC2 Container Registry is a new service from Amazon that enables you to store your containers in the same datacenters that your containers run from.

But, due to how Amazon handles security with ECR, giving K8S the proper authentication to pull your containers is a bit tricky. First off we're going to use the AWS CLI. Running the command:

aws ecr get-login

Gives us the result:

docker login -u AWS -p CiBwm0YaISJ... -e none https://[accountnum].dkr.ecr.us-east-1.amazonaws.com

Which is the command we can use to generate a ~/.docker/config.json that we can then use to push and pull images to/from ECR.

But how do we get this file to our K8S controllers that will be ultimately pull this images? By using ImagePullSecrets.

When we are deploying K8S, locally or on CI, we first run:

$ aws ecr get-login | sh -
$ cat > /tmp/image-pull-secret.yaml << EOF 
apiVersion: v1     
kind: Secret
metadata:
  name: myregistrykey
data:
  .dockerconfigjson: $(cat ~/.docker/config.json | base64 -w 0)
type: kubernetes.io/dockerconfigjson
EOF
$ kubectl [create/replace] -f /tmp/image-pull-secret.yaml

And then make sure our pod definition includes:

metadata:
  name: my-pod
  labels:
    name: my-pod 
spec:
  imagePullSecrets: # <-- Important bit here
    - name: myregistrykey
  containers: 
      - image: [accountnum].dkr.ecr.us-east-1.amazonaws.com/my-container:latest
        name: my-container

Now our K8S nodes will have the permissions to pull the images when deploying our new containers.

Note: The ~/.docker/config.json that is generated from aws ecr get-login only lasts 12 hours. So make sure you run these scripts on every deploy to make sure you still have permission to pull images.

Eric Koslow, cofounder of Lattice, has been writing a series of blog posts (check them out!) on setting up Kubernetes on AWS. At Lattice, Eric creates software to help companies set and manage their goals. -Mackenzie

Update: Alex Kern of Pavlov put together a gist to automate this process using a Makefile. Check it out!