Alibaba Cloud Container Compute Service (ACS) allows you to pull images from Alibaba Cloud Container Registry instances without using Secrets to improve efficiency and security of image pulling. This topic describes how to pull images from a Container Registry instance without using a Secret.
Background information
Container Registry provides Container Registry Personal Edition instances and Container Registry Enterprise Edition instances. Container Registry Enterprise Edition is an enterprise-grade platform designed to manage the lifecycle of cloud native application artifacts, including container images, Helm charts, and Open Container Initiative (OCI) artifacts. It is suitable for large-scale business deployment scenarios and helps enterprises reduce the delivery complexity. For more information, see What is Container Registry?
If your image is stored on a Container Registry instance, you can pull the image without using Secrets when you create an ACS cluster to improve efficiency and avoid disclosing the Secret.
You cannot pull an image without using Secrets if the image is not stored on a Container Registry instance, such as Docker images and images in self-managed repositories.
Prerequisites
Before you start, make sure that you have completed the following tasks:
An ACS cluster is created. For more information, see Create an ACS cluster.
A Container Registry instance is created, and related configurations such as image repositories and images are completed for the instance.
For more information about how to configure a Container Registry Personal Edition instance, see Use a Container Registry Personal Edition instance to push and pull images.
For more information about how to configure a Container Registry Enterprise Edition instance, see Use a Container Registry Enterprise Edition instance to push and pull images.
Access to the Container Registry instance without using Secrets is configured if the instance is an Enterprise Edition instance.
By default, a newly created Container Registry Enterprise Edition instance is disconnected from all networks. You must configure access control lists (ACLs) to allow access to the instance over the Internet or virtual private clouds (VPCs).
Over the Internet: After you enable Internet access for an Enterprise Edition instance, you can access images in the Enterprise Edition instance across regions by using public endpoints of the Enterprise Edition instance. For more information, see Configure access over the Internet.
Over a VPC: To access a Container Enterprise Edition instance over a VPC, you must enable relevant authorization by using the service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone. For more information, see Configure a VPC ACL.
Usage notes
To pull private images, the managed aliyun-acr-credential-helper component needs to read your configurations in the console. After you configure the aliyun-acr-credential-helper component, the component generates a Secret in your cluster and associates the Secret with the service account that you specified in the acr-configuration ConfigMap. By default, all pods that use this service account use the generated Secret to pull images without using a password.
Install the managed aliyun-acr-credential-helper component
Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you created.
In the left-side navigation pane, choose
.On the Add-ons page, click the Security tab, find aliyun-acr-credential-helper, and click Install.
Configure the managed aliyun-acr-credential-helper component
Add a Container Registry instance
After you click Install, you must add a Container Registry instance in the dialog box that appears so that you can use the component.
The following table describes the parameters.
Parameter | Description | Value |
instanceID | The ID of the Container Registry instance. | Find the instance that you created in Container Registry. Enterprise Edition: View Instance ID in the Instance section. Personal Edition: Leave this parameter empty if you want to pull images from a Container Registry Personal Edition instance without using Secrets. By default, this parameter is left empty. |
regionID | The region ID of the Container Registry instance. | A region ID, such as cn-hangzhou if your instance resides in the China (Hangzhou) region. By default, the region of the ACS cluster is selected. Leave this parameter empty if the Container Registry instance resides in the same region as the ACS cluster. |
domains | The domain name of the Container Registry instance. | Separate multiple domain names with commas (,). By default, all domain names corresponding to the instance ID of the Container Registry instance are specified, including registry.* (public domain name), registry-vpc.* (VPC domain name), and registry-internal.* (private domain name). |
assumeRoleARN | The ARN of the RAM role assumed by the owner of the Container Registry instance. This parameter is optional. Leave this parameter empty if no image is pulled across accounts. When you pull images across accounts, specify the ARN of the RAM role assumed by Account B. | Example: acs:ram::aaa. By default, this parameter is left empty. |
expireDuration | The validity period of the temporary credentials used to pull images across account. This parameter is optional. Leave this parameter empty if no image is pulled across accounts. The duration of the session created by the RAM role of Account B when images are pulled across accounts, which is the validity period of temporary credentials generated by the managed aliyun-acr-credential-helper component. Important The expireDuration value cannot be greater than the MaxSessionDuration value of the RAM role of Account B. | Default value: 3600. |
rrsaRoleARN | The ARN of the RAM role assumed by the owner of the ACS cluster. This parameter is optional. Leave this parameter empty if no image is pulled across accounts. The ARN of the RAM role assumed by Account A when images are pulled across accounts. | Example: acs:ram::bbb. By default, this parameter is left empty. |
rrsaOIDCProviderRoleARN | The ARN of the OIDC provider. This parameter is optional. Leave this parameter empty if no image is pulled across accounts. The ARN of the OIDC provider displayed in the basic information of the cluster within Account A in the ACK console when images are pulled across accounts. | Example: acs:ram::ccc. By default, this parameter is left empty. |
The following table describes other parameters.
Parameter | Description | Value |
watchNamespace | The namespaces from which you want to pull images without using a Secret. | Default value: default. If the value is set to all, images can be pulled from all namespaces without using a Secret. Separate multiple namespaces with commas (,). Note We recommend that you set the values to your production namespaces. If you set the value to all or namespaces of the system components of the cluster, images in the namespaces may fail to be pulled. |
serviceAccount | The service accounts that are used by aliyun-acr-credential-helper to pull images. | Default value: default. Note Separate multiple service accounts with commas (,). If you set the parameter to an asterisk (*), all service accounts in the specified namespaces are used. |
expiringThreshold | The expiration time of the cached Secret. | Default value: 15 min. Note We recommended that you use the default value. The default value specifies that the Secret is renewed 15 minutes before the expiration time. |
notifyEmail | Th email mark of the Secret. | Default value: c*@aliyun.com. |
Pull images across accounts
Pull images across accounts by configuring RRSA
The RRSA feature can be used to perform access control on pods in a cluster.
Only Container Registry Enterprise Edition instances (Basic, Standard, and Advanced) support RRSA.
After you enable the RRSA feature, the Secret that is generated by aliyun-acr-credential-helper cannot be used to pull private images from Container Registry Personal Edition instances. After you enable the RRSA feature, you cannot use other authentication methods that are described in this topic, such as the AccessKey pair method.
You must enable the RRSA feature for the cluster before you configure RRSA for pulling images without using Secrets. If you configure RRSA for aliyun-acr-credential-helper and then enable RRSA for the cluster in the ACK console, you must delete the pod corresponding to aliyun-acr-credential-helper after you configure RRSA. This allows RRSA to take effect.
On the Cluster Information page of your ACS cluster, click the Basic Information tab, find RRSA OIDC,
and enable RRSA.
Grant the required permissions to access Container Registry resources across accounts.
After the RRSA feature is enabled for the cluster, you must perform the following operations to enable RRSA for aliyun-acr-credential-helper. For example, the current cluster is in Account A and the Container Registry instance is in Account B. If you want to pull images of the Container Registry instance, you must grant the cluster in Account A the permissions to access Container Registry resources of Account B.
Configure a RAM role for Account A
Create a RAM role in Account A and associate the AliyunSTSAssumeRoleAccess policy with the RAM role. This policy grants the RAM role the permission to assume the role of Account A. Modify the trust policy of the RAM role.
Replace <oidc_issuer_url> in the example with the URL of the OIDC provider of the cluster. You can view the URL on the Basic Information tab of the ACS cluster.
Replace <oidc_provider_arn> in the example with the ARN of the OIDC provider of the cluster. You can view the ARN on the Basic Information tab of the ACS cluster.
{ "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "oidc:aud": "sts.aliyuncs.com", "oidc:iss": "<oidc_issuer_url>", "oidc:sub": "system:serviceaccount:kube-system:aliyun-acr-credential-helper" } }, "Effect": "Allow", "Principal": { "Federated": [ "<oidc_provider_arn>" ] } } ], "Version": "1" }
Configure a RAM role for Account B
Create a RAM role that has Container Registry-related permissions in Account B. On the Trust Policy Management tab, enter the ARN of the RAM role of Account A in the Principal field of the trust policy. Associate the following policy with the RAM role in Account B. The policy grants the RAM role in Account B the permissions to obtain information of Container Registry instances and pull images from the instances.
{ "Version": "1", "Statement": [ { "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": "*", "Effect": "Allow" } ] }
You can configure the MaxSessionDuration parameter for the RAM role. Valid values of this parameter range from 3600 to 43200 seconds. You must configure the expireDuration parameter in the following "aliyun-acr-credential-helper Parameters" dialog box. We recommend that you specify the same value for MaxSessionDuration and expireDuration. The value of expireDuration can be smaller than or equal to the value of MaxSessionDuration.