Container Compute Service (ACS) allows you to pull images from Container Registry (ACR) without using Secrets to improve the efficiency and security of image pulling. This topic describes how to pull images from a Container Registry instance in an ACS cluster without using a Secret.
Background information
Container Registry (ACR) provides secure hosting and efficient distribution services for a variety of standard cloud-native artifacts. Container Registry provides Personal Edition instances and Enterprise Edition instances. For more information, see What is Container Registry? For the different versions of Container Registry instances, ACS provides a unified configuration method to pull images without using Secrets.
After you configure the secret-free service for the ACS cluster, the ACS cluster automatically injects authentication information into the image in the Container Registry instance when the ACS cluster is created. This can simplify the instance creation process, prevent password leakage, and strengthen security.
You cannot pull an image without using Secrets if the image is not stored on a Container Registry instance, such as Docker images and images in self-managed repositories.
Prerequisites
Before you start, make sure that you have completed the following tasks:
An ACS cluster is created. For more information, see Create an ACS cluster.
A Container Registry instance is created, and related configurations such as image repositories and images are completed for the instance.
For more information about how to configure a Container Registry Personal Edition instance, see Use a Container Registry Personal Edition instance to push and pull images.
For more information about how to configure a Container Registry Enterprise Edition instance, see Use a Container Registry Enterprise Edition instance to push and pull images.
If the Container Registry instance is an Enterprise Edition instance, the access method for the instance must be configured.
By default, a newly created Container Registry Enterprise Edition instance is disconnected from all networks. You must configure access control lists (ACLs) to allow access to the instance over the Internet or virtual private clouds (VPCs).
Over the Internet: After you enable Internet access for an Enterprise Edition instance, you can access images in the Enterprise Edition instance across regions by using public endpoints of the Enterprise Edition instance. For more information, see Enable Internet access.
Over a VPC: To access a Container Enterprise Edition instance over a VPC, you must enable relevant authorization. For more information, see Configure a VPC ACL.
Usage notes
To pull private images, the aliyun-acr-credential-helper component needs to read your configurations in the console. After you configure the aliyun-acr-credential-helper component, the component generates a Secret in your cluster and associates the Secret with the service account that you specified in the acr-configuration ConfigMap. By default, all pods that use this service account use the generated Secret to pull images without using a password.
Install and configure the aliyun-acr-credential-helper component
Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side navigation pane, choose Operations > Add-ons.
On the Add-ons page, click the Security tab, find the aliyun-acr-credential-helper (Managed) card, and then click Install in the lower-right corner of the card.
On the Install aliyun-acr-credential-helper page, click + Add next to AcrInstanceInfo to add multiple Container Registry instances. Configure the aliyun-acr-credential-helper component, and then click OK. The following table describes the parameters.
Click + Add next to AcrInstanceInfo.
NoteThe following content describes the configuration method in the default scenario:
If you want to pull images from a Container Registry Personal Edition instance, you can use the default parameters in the AcrInstanceInfo section.
If you want to pull images from a Container Registry Enterprise Edition instance, you must specify the instanceID parameter and use the default values for other parameters in the AcrInstanceInfo section.
Parameter
Description
Value
instanceID
The ID of the Container Registry instance.
Find the instance that you created in Container Registry.
Enterprise Edition: View Instance ID in the Instance section. The value is a string that starts with
cri-.Personal Edition: Leave this parameter empty if you want to pull images from a Container Registry Personal Edition instance without using Secrets.
By default, this parameter is left empty, which indicates the Container Registry Personal Edition instance is selected.
regionID
The region ID of the Container Registry instance.
A region ID, such as
cn-hangzhouif your instance resides in the China (Hangzhou) region.By default, the region of the ACS cluster is selected. Leave this parameter empty if the Container Registry instance resides in the same region as the ACS cluster.
domains
The domain name of the Container Registry instance.
Separate multiple domain names with commas (,).
By default, all domain names corresponding to the instance ID of the Container Registry instance are specified, including registry.* (public domain name), registry-vpc.* (VPC domain name), and registry-internal.* (private domain name).
assumeRoleARN
The Alibaba Cloud Resource Name (ARN) of the RAM role assumed by the image repository owner, which can be obtained in Step 4 of Pull images across accounts. This parameter is optional. Leave this parameter empty if no image is pulled across accounts.
Example: acs:ram::123456789012****:test-rrsa-acr.
This parameter is left empty by default.
expireDuration
The validity period of the Secret that is used to pull images across Alibaba Cloud accounts. This parameter is optional. Leave this parameter empty if no image is pulled across accounts.
ImportantThe value of the expireDuration parameter cannot be greater than the value of the MaxSessionDuration parameter of the RAM role assumed by the image repository owner in Step 4 of Pull images across accounts.
Default value:
3600.rrsaRoleARN
The ARN of the RAM role assumed by the owner of the ACS cluster, which can be obtained in Step 3 of Pull images across accounts. This parameter is optional. Leave this parameter empty if no image is pulled across accounts.
Example: acs:ram::987654321012****:demo-role-for-rrsa.
This parameter is left empty by default.
rrsaOIDCProviderRoleARN
The ARN of the RRSA OpenID Connect (OIDC) provider in the ACS cluster, which can be obtained in Step 2 of Pull images across accounts. This parameter is optional. Leave this parameter empty if no image is pulled across accounts.
Example: acs:ram::987654321012****:oidc-provider/ack-rrsa-abcd1234****.
This parameter is left empty by default.
The following table describes other parameters.
Parameter
Description
Value
Specifies whether to enable RRSA.
If you select the check box and configure the RAM Roles for Service Accounts (RRSA) feature for the cluster and the aliyun-acr-credential-helper component, this feature is enabled.
By default, this option is not selected. After you configure RRSA and select this check box, you can pull images across accounts.
watchNamespace
The namespaces from which you want to pull images without using a Secret.
Default value:
default. If the value is set to all, images can be pulled from all namespaces without using a Secret. Separate multiple namespaces with commas (,).NoteWe recommend that you set the values to your production namespaces. If you set the value to all or namespaces of the system components of the cluster, images in the namespaces may fail to be pulled.
serviceAccount
The service accounts that are used by aliyun-acr-credential-helper to pull images.
Default value:
default.NoteSeparate multiple service accounts with commas (,). If you set the parameter to an asterisk (*), all service accounts in the specified namespaces are used.
expiringThreshold
The expiration time of the cached Secret.
Default value:
15 minutes.NoteWe recommend that you set this parameter to 15 minutes. The default value specifies that the Secret is renewed 15 minutes before the expiration time.
notifyEmail
The email mark of the Secret, which is generated by aliyun-acr-credential-helper.
Default value:
xxx@aliyun.com.
Pull images across accounts
Pull images across accounts by using RRSA
You can use the RAM Roles for Service Accounts (RRSA) feature to isolate permissions for pods in an ACS cluster. You can enable the RRSA feature for the ACS cluster and distribute the ARN of the RAM role to different image repository owners. In this way, aliyun-acr-credential-helper allows you to pull images from a Container Registry instance across accounts.
Only Container Registry Enterprise Edition instances (Basic, Standard, and Advanced) support RRSA.
After you enable the RRSA feature, the Secret that is generated by aliyun-acr-credential-helper cannot be used to pull private images from Container Registry Personal Edition instances. After you enable the RRSA feature, you cannot use other authentication methods that are described in this topic, such as the AccessKey pair method.
You must enable the RRSA feature for the cluster before you configure RRSA for pulling images without using Secrets. If you configure RRSA for aliyun-acr-credential-helper and then enable RRSA for the cluster in the ACK console, you must delete the pod corresponding to aliyun-acr-credential-helper after you configure RRSA. This allows RRSA to take effect.
Enable the RRSA feature for the ACS cluster For more information, see Enable RRSA.
ACS automatically creates an RRSA OIDC provider for the cluster. In the ACS console, choose to view the Provider URL and Provider ARN.
The cluster owner uses the OIDC provider to configure a RAM role and grant permissions to assume the role.
Use an OIDC provider to create a RAM role or associate an existing RAM role with an OIDC provider so that aliyun-acr-credential-helper can use the RAM role to call API operations.
Create a RAM role by using an OIDC provider
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose . On the Roles page, click Create Role.
In the Create Role panel, select IdP for Select Trusted Entity and click Next.
On the Configure Role wizard page, set the following parameters and click OK.
The following table describes the parameters that are configured in this example.
Parameter
Description
RAM Role Name
Set the value to demo-role-for-rrsa.
Note
Optional. The description of the RAM role.
IdP Type
OIDC is selected.
Select IdP
acs-rrsa-<cluster_id>. <cluster_id> indicates the ID of your cluster.
Conditions
oidc:iss: Use the default value.
oidc:aud: Select sts.aliyuncs.com.
oidc:sub: Set the condition operator to StringEquals and enter a value in the system:serviceaccount:<namespace>:<serviceAccountName> format.
<namespace>: the namespace of the application.
<serviceAccountName>: Specify the name of the service account.
According to the requirements of aliyun-acr-credential-helper, you must enter
system:serviceaccount:kube-system:aliyun-acr-credential-helper.
Associate an existing RAM role with an OIDC provider
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose and click the RAM role that you want to manage.
On the Trust Policy tab, click Edit Trust Policy. For more information, see Edit the trust policy of a RAM role.
Add the following content to the
Statementfield.{ "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "oidc:aud": "sts.aliyuncs.com", "oidc:iss": "<oidc_issuer_url>", "oidc:sub": "system:serviceaccount:kube-system:aliyun-acr-credential-helper" } }, "Effect": "Allow", "Principal": { "Federated": [ "<oidc_provider_arn>" ] } }ImportantReplace
<oidc_issuer_url>and<oidc_provider_arn>with the Provider URL and Provider ARN that you obtained in Step 2.
Grant the
AliyunSTSAssumeRoleAccesspolicy to the RAM role so that aliyun-acr-credential-helper can assume the role. For more information, see Grant permissions to a RAM role.Choose to view the ARN of the RAM role.
The image repository owner configures a RAM role that trusts the RAM role of the cluster owner and grants permissions to pull images.
Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Trust the RAM role of the ACS cluster and allow it to assume the role of the repository owner. For more information, see Edit the trust policy of a RAM role. Sample policy:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "<acs_role_arn>" ] } } ], "Version": "1" }ImportantReplace
<acs_role_arn>with the ARN of the RAM role assumed by the ACS cluster owner, which can be obtained in Step 3.Grant image pull permissions to the RAM role
Create a custom policy on the JSON tab. We recommend that you set the name of the policy to
AliyunCreateSLRForIoTCloudSource. The following sample code shows the document of the policy: For more information, see Create a custom policy.{ "Version": "1", "Statement": [ { "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": "*", "Effect": "Allow" } ] }Grant the
AliyunACRBasicAccesspermission to the RAM role. For more information, see Grant permissions to a RAM role.
You can configure the MaxSessionDuration parameter for the RAM role. This parameter is optional. The valid range is 3600 seconds to 43200 seconds. If the MaxSessionDuration parameter is configured, you must configure the expireDuration parameter in the AcrInstanceInfo section.
Choose to view the ARN of the RAM role.
Select the Specifies whether to enable RRSA check box when you configure aliyun-acr-credential-helper. Configure parameters in the AcrInstanceInfo section.
Modify the parameters in the AcrInstanceInfo section based on the following content.
Parameter
Description
Value
Specifies whether to enable RRSA.
If you select the check box and configure the RRSA feature for the cluster and the aliyun-acr-credential-helper component, this feature is enabled.
Select the check box.
rrsaRoleARN
The ARN of the RAM role assumed by the owner of the ACS cluster, which can be obtained in Step 3.
<acs_role_arn>rrsaOIDCProviderRoleARN
The ARN of the RRSA OIDC provider, which can be obtained in Step 2.
oidc_provider_arnassumeRoleARN
The ARN of the RAM role assumed by the image repository owner, which can be obtained in Step 4.
<acr_role_arn>expireDuration
The validity period of the secret that is generated by aliyun-acr-credential-helper.
ImportantThe value of the expireDuration parameter cannot be greater than the value of the MaxSessionDuration parameter of the RAM role assumed by the image repository owner in Step 4.
Default value: 3600. Valid values: 3600 to 43200. Unit: seconds.