You should have your own docker repository or registry in your Kubernetes cluster for security. In this article, I share the private repository settings on Kubernetes.
1.Prepare
1 2 3 4 |
k8s-master – 192.168.1.40 – CentOS 7 k8s-worker-1 – 192.168.1.41 – CentOS 7 k8s-worker-2 – 192.168.1.42 – CentOS 7 |
2.Installation steps
Create archive directory first on all node
1 2 |
sudo mkdir /opt/certs /opt/registry |
Login to node master using openssl command to generate self-signed certificate for the repository.
1 2 3 4 |
$ cd /opt $ sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout \ ./certs/registry.key -x509 -days 365 -out ./certs/registry.crt |
Enter a name for the lines like: region, company,.. and press enter
Check the newly created certificate
1 2 3 4 5 6 |
[kadmin@k8s-master opt]$ ls -l certs/ total 8 -rw-r--r--. 1 root root 2114 Sep 26 03:26 registry.crt -rw-r--r--. 1 root root 3272 Sep 26 03:26 registry.key [kadmin@k8s-master opt]$ |
Copy these 2 files to the directory /opt/cert worker node machine
On the master node create a private-registry.yaml with the following content
1 2 3 4 |
[kadmin@k8s-master ~]$ mkdir docker-repo [kadmin@k8s-master ~]$ cd docker-repo/ [kadmin@k8s-master docker-repo]$ vi private-registry.yaml |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
apiVersion: apps/v1 kind: Deployment metadata: name: private-repository-k8s labels: app: private-repository-k8s spec: replicas: 1 selector: matchLabels: app: private-repository-k8s template: metadata: labels: app: private-repository-k8s spec: volumes: - name: certs-vol hostPath: path: /opt/certs type: Directory - name: registry-vol hostPath: path: /opt/registry type: Directory containers: - image: registry:2 name: private-repository-k8s imagePullPolicy: IfNotPresent env: - name: REGISTRY_HTTP_TLS_CERTIFICATE value: "/certs/registry.crt" - name: REGISTRY_HTTP_TLS_KEY value: "/certs/registry.key" ports: - containerPort: 5000 volumeMounts: - name: certs-vol mountPath: /certs - name: registry-vol mountPath: /var/lib/registry |
Save and exit yaml file
Run kubectl with the above yaml file
1 2 3 4 |
[kadmin@k8s-master docker-repo]$ kubectl create -f private-registry.yaml deployment.apps/private-repository-k8s created [kadmin@k8s-master docker-repo]$ |
Check the status of the registry deployment with the pod created.
1 2 3 4 5 6 7 8 |
[kadmin@k8s-master ~]$ kubectl get deployments private-repository-k8s NAME READY UP-TO-DATE AVAILABLE AGE private-repository-k8s 1/1 1 1 3m32s [kadmin@k8s-master ~]$ [kadmin@k8s-master ~]$ kubectl get pods | grep -i private-repo private-repository-k8s-85cf76b9d7-qsjxq 1/1 Running 0 5m14s [kadmin@k8s-master ~]$ |
Copy the registration certificate file from the directory “/opt/cert” to the directory thư“/etc/pki/ca-trust /source/anchor” on all nodes.
1 2 3 4 |
$ sudo cp /opt/certs/registry.crt /etc/pki/ca-trust/source/anchors/ $ sudo update-ca-trust $ sudo systemctl restart docker |
Deploy as nodeport service, we create more yaml file with the following content
1 2 3 |
[kadmin@k8s-master ~]$ cd docker-repo/ [kadmin@k8s-master docker-repo]$ vi private-registry-svc.yaml |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
apiVersion: v1 kind: Service metadata: labels: app: private-repository-k8s name: private-repository-k8s spec: ports: - port: 5000 nodePort: 31320 protocol: TCP targetPort: 5000 selector: app: private-repository-k8s type: NodePort |
Save and exit the file.
Run the command below to generate
1 2 3 |
$ kubectl create -f private-registry-svc.yaml service/private-repository-k8s created |
Check the status of NodePort just created
1 2 3 4 5 |
[kadmin@k8s-master ~]$ kubectl get svc private-repository-k8s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE private-repository-k8s NodePort 10.100.113.39 <none> 5000:31320/TCP 2m1s [kadmin@k8s-master ~]$ |
Now we test by pulling an nginx image and uploading the image to the private registry, from the master node
1 2 3 4 |
$ sudo docker pull nginx $ sudo docker tag nginx:latest k8s-master:31320/nginx:1.17 $ sudo docker push k8s-master:31320/nginx:1.17 |
Run the following command to check if nginx uploaded to the private repository.
1 2 3 4 5 |
[kadmin@k8s-master ~]$ sudo docker image ls | grep -i nginx nginx latest 7e4d58f0e5f3 2 weeks ago 133MB k8s-master:31320/nginx 1.17 7e4d58f0e5f3 2 weeks ago 133MB [kadmin@k8s-master ~]$ |
Now we deploy a basic nginx on the private docker registry above.
1 2 |
[kadmin@k8s-master ~]$ vi nginx-test-deployment.yaml |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-test-deployment labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx-1-17 image: k8s-master:31320/nginx:1.17 ports: - containerPort: 80 |
Save and exit the file
Run the following command to initialize
1 2 3 4 5 6 7 8 9 10 11 12 |
[kadmin@k8s-master ~]$ kubectl create -f nginx-test-deployment.yaml deployment.apps/nginx-test-deployment created [kadmin@k8s-master ~]$ kubectl get deployments nginx-test-deployment NAME READY UP-TO-DATE AVAILABLE AGE nginx-test-deployment 3/3 3 3 13s [kadmin@k8s-master ~]$ [kadmin@k8s-master ~]$ kubectl get pods | grep nginx-test-deployment nginx-test-deployment-f488694b5-2rvmv 1/1 Running 0 80s nginx-test-deployment-f488694b5-8kb6c 1/1 Running 0 80s nginx-test-deployment-f488694b5-dgcxl 1/1 Running 0 80s [kadmin@k8s-master ~]$ |
View in more detail the newly created pod
1 2 |
$ kubectl describe pod nginx-test-deployment-f488694b5-2rvmv |
The output is below:
So, I have guided you to build a private repository for your project with docker and kubernets. Thank you for watching, see you in the next post. Sincerely and to win