All Products
Search
Document Center

Elastic Container Instance:Image cache annotations

Last Updated:Nov 20, 2024

If you want to accelerate the creation of pods in Kubernetes clusters, you can use the ImageCache feature that is provided by Elastic Container Instance by using ImageCache Custom Resource Definition (CRD). When you create an image cache, you can add annotations based on your business requirements. This topic describes the annotations that can be added when you create an image cache. This topic also provides examples on how to configure the annotations.

Annotations that can be added when you create an image cache

The following table describes the annotations that can be added when you create an image cache.

Annotation

Example

Description

References

k8s.aliyun.com/vswitch-ids

"vsw-bp1dktddjsg5nktv****,vsw-bp1xpiowfm5vo8o3c****"

Specifies the IDs of vSwitches. You can specify multiple vSwitches for multiple zones. If you do not specify this parameter, the ID of the vSwitch configured in eci-profile is used.

Create an image cache by using the multi-zone feature

k8s.aliyun.com/imc-cpu-arch

"arm64"

Specifies the CPU architecture. Valid values:

Specify the CPU architecture.

k8s.aliyun.com/imc-os-type

"windows"

Specifies the operating system. Valid values:

Specify the operating system.

k8s.aliyun.com/security-group-id

"sg-bp1dktddjsg5nktv****"

Specifies the ID of the security group. If you leave this annotation empty, the ID of the security group configured in eci-profile is used.

Configure a security group and resource group

k8s.aliyun.com/resource-group-id

"rg-aek2z3elfs4****"

Specifies the ID of the resource group. If you leave this annotation empty, the ID of the resource group configured in the eci-profile is used.

k8s.aliyun.com/acr-instance-ids

"cri-j36zhodptmyq****"

Specifies the IDs of Alibaba Cloud Container Registry Enterprise Edition instances. These instances are used to pull images without the need to use passwords.

You can specify Container Registry Enterprise Edition instances that reside in regions different from the region of the pod. To do this, you must prefix the region ID of the Container Registry Enterprise Edition instance to the ID of the Container Registry Enterprise Edition instance. Example: "cn-beijng:cri-j36zhodptmyq****".

Pull images from a Container Registry instance without using secrets

k8s.aliyun.com/acr-service-arns

acs:ram::1609982529******:role/role-assume

Specifies the Alibaba Cloud Resource Names (ARNs) of the Resource Access Management (RAM) roles in the Alibaba Cloud account to which the Elastic Container Instance resources belong.

This annotation is required when you use a RAM role to create resources.

k8s.aliyun.com/acr-user-arns

acs:ram::1298452580******:role/role-acr

Specifies the ARNs of the RAM roles in the Alibaba Cloud account to which the Container Registry instance belongs.

This annotation is required when you pull images from a Container Registry instance that belongs to an Alibaba Cloud account that is different from the Alibaba Cloud account of the Elastic Container Instance resource.

k8s.aliyun.com/plain-http-registry

"harbor***.pre.com,192.168.XX.XX:5000,reg***.test.com:80"

Specifies the address of the self-managed image repository.

When you create an elastic container instance by using an image in a self-managed image repository that uses the HTTP protocol, you must add this annotation. This way, Elastic Container Instance uses the HTTP protocol to pull the image. This can prevent a failure to pull the image due to different protocols.

Pull an image from a self-managed image repository

k8s.aliyun.com/insecure-registry

"harbor***.pre.com,192.168.XX.XX:5000,reg***.test.com:80"

Specifies the address of the self-managed image repository.

When you create an elastic container instance by using an image in a self-managed image repository that uses a self-signed certificate, you must add this annotation to skip the certificate authentication. This can prevent a failure to pull the image due to certificate authentication failures.

k8s.aliyun.com/imc-enable-reuse

"true"

Specifies whether to enable reuse of image cache layers. If you enable this feature and the image cache that you want to create contains the same layers as existing image caches, the system reuses the image layers of the existing image caches to create the new image cache. This accelerates the creation of the image cache.

Enable reuse of image cache layers

k8s.aliyun.com/imc-enable-flash

"true"

Specifies whether to enable the instant image cache feature. If you enable this feature, the system creates a temporary local snapshot. This reduces the time required to create the image cache.

Enable the instant image cache feature

k8s.aliyun.com/imc-retention-days

"7"

Specifies the retention period of the image cache. Unit: days. Expired image caches are automatically deleted. This annotation is left empty by default, which indicates that the image cache never expires.

Configure the size and retention period of the image cache

k8s.aliyun.com/imc-size

"25"

Specifies the size of the image cache. Unit: GiB. Default value: 20. Valid values: 20 to 32768.

k8s.aliyun.com/eip-instance-id

"eip-bp1q5n8cq4p7f6dzu****"

Specifies the ID of the elastic IP address (EIP) that is associated with the pod. If no NAT gateway is configured, you can associate an existing EIP with the pod to pull images over the Internet.

Configure an EIP to pull images over the Internet

k8s.aliyun.com/auto-create-eip

"true"

Specifies whether to automatically create an EIP and associate the EIP with the elastic container instance. If no NAT gateway is configured, you can set this annotation to true. This allows the system to create an EIP and associate the EIP with the pod to pull images over the Internet.

k8s.aliyun.com/eip-bandwidth

"5"

Specifies the bandwidth limit for the EIP when the system creates an EIP. Unit: Mbit/s.

k8s.aliyun.com/eip-internet-charge-type

PayByBandwidth

Specifies the billing method for network usage of the EIP when the system creates an EIP. Valid values:

  • PayByBandwidth: pay-by-bandwidth

  • PayByTraffic: pay-by-traffic

k8s.aliyun.com/eip-isp

BGP

Specifies the line type of the EIP when the system creates an EIP. This annotation is only applicable to pay-as-you-go EIPs. Valid values:

  • BGP (default): BGP (Multi-ISP) line

  • BGP_PRO: BGP (Multi-ISP) Pro lines

k8s.aliyun.com/eip-common-bandwidth-package-id

"cbwp-2zeukbj916scmj51m****"

Specifies the ID of the EIP bandwidth plan.

Create an image cache by using the multi-zone feature

When you create an image cache, the system creates a temporary elastic container instance. To ensure the image cache can be created, you can specify multiple vSwitches that reside in different zones.

Note

When you create an image cache, the vSwitch of the Kubernetes cluster or VNode is used by default. If the Kubernetes cluster or VNode is configured with multiple zones, you may not specify vSwitches.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/vswitch-ids: "vsw-bp1dktddjsg5nktv****,vsw-bp1xpiowfm5vo8o3c****"  # Specifies multiple vSwitches.
spec:
  images:
  - centos:latest
  - busybox:latest
  imageCacheSize:
   25
  retentionDays:
   7

Specify the CPU architecture

When you pull an image of the Arm architecture to create an image cache, you must specify the CPU architecture.

Important

When you specify this annotation, make sure that virtual nodes of the Arm architecture exist in the cluster. For more information, see Schedule pods to an Arm-based virtual node.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/imc-cpu-arch: "arm64" # Specifies the CPU architecture as Arm.
spec:
  images:
  -arm64v8/centos:7.9.2009 # Specifies the container image that uses the Arm architecture.
  imageCacheSize:
   25
  retentionDays:
   7

Specify the operating system

When you pull a Windows image to create an image cache, you must specify the operating system.

Important

When you specify this annotation, make sure that Windows virtual nodes exist in the cluster. For more information, see (In invitational preview) Schedule pods to run on Windows virtual nodes.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/imc-os-type: "windows" # Specifies the operating system as Windows.
spec:
  images:
  -mcr.microsoft.com/windows/nanoserver:ltsc2022 # Specifies the container image that contains the operating system.
  imageCacheSize:
   25
  retentionDays:
   7

Configure a security group and resource group

By default, the security group and resource group that are configured in eci-profile are used when you create an image cache. You can configure a security group and resource group based on your business requirements.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/security-group-id: "sg-bp1dktddjsg5nktv****" # Specifies a security group.
    k8s.aliyun.com/resource-group-id: "rg-aek2z3elfs4****"      # Specifies a resource group.
spec:
  images:
  - centos:latest
  - busybox:latest
  imageCacheSize:
   25
  retentionDays:
   7

Pull images from a Container Registry instance without using secrets

The following table describes the scenarios in which you can pull images from a Container Registry instance without using Secrets.

The resource to be created such as an elastic container instance and the Container Registry instance are in the same account

Edition of the Container Registry instance

Secret-free image pulling

Yes

  • Personal Edition

  • Enterprise Edition (use a default domain name)

By default, secret-free image pulling is enabled. You can configure a RAM role to limit the scope of Container Registry instances that support secret-free image pulling.

Yes

Enterprise Edition (use a custom domain name)

Secret-free image pulling cannot be enabled by default. You must specify Container Registry instances that support secret-free image pulling.

No

  • Personal Edition

  • Enterprise Edition

Secret-free image pulling cannot be enabled by default. You must configure a RAM role to implement secret-free image pulling.

For more information, see Pull images from a Container Registry instance without using a Secret.

Use self-managed image repositories

If a self-managed image repository uses the HTTP protocol or a self-signed certificate when you use an image in the image repository to create an image cache, you must configure annotations to prevent image pull failures.

  • The self-managed image repository uses the HTTP protocol.

    By default, elastic container instances pull images over the HTTPS protocol. When you create an image cache, you must add the k8s.aliyun.com/plain-http-registry annotation. This allows the elastic container instance to interact with the image repository over the HTTP protocol.

    apiVersion: eci.alibabacloud.com/v1
    kind: ImageCache
    metadata:
      name: imagecache-sample
      annotations:
        k8s.aliyun.com/plain-http-registry: "192.168.XX.XX:5000"  # Specifies the address of the self-managed image repository, which is used to pull an image over HTTP protocol.
    spec:
      images:
      - 192.168.XX.XX:5000/test/nginx:latest
      imagePullSecrets:
      - default:secret1
      - default:secret2
      - kube-system:secret3
      imageCacheSize:
       25
      retentionDays:
       7
  • The self-managed image repository uses a self-signed certificate.

    If the self-managed image repository uses a self-issued certificate, certificate authentication fails when the system attempts to pull an image from the image repository. You must add the k8s.aliyun.com/insecure-registry annotation to skip certificate authentication.

    apiVersion: eci.alibabacloud.com/v1
    kind: ImageCache
    metadata:
      name: imagecache-sample
      annotations:
        k8s.aliyun.com/insecure-registry: "harbor***.pre.com"  # Specifies the address of the self-managed image repository. The system skips certificate authentication when the system tries to pull an image from the image repository to create a pod.
    spec:
      images:
      - harbor***.pre.com/test/nginx:latest
      imagePullSecrets:
      - default:secret1
      - default:secret2
      - kube-system:secret3
      imageCacheSize:
       25
      retentionDays:
       7
Note

  • If you want to pull images of multiple containers from different image repositories, you can specify multiple image repository addresses separated with commas (,). Example: harbor***.pre.com,192.168.XX.XX.

  • If the image repository address contains a port number, you must specify the address and its port number. For example, if the image repository address is 192.168.XX.XX:5000/nginx:latest, set the annotation to 192.168.XX.XX:5000.

Enable reuse of image cache layers

The time required to create an image cache depends on factors such as the image size and network conditions. You can enable the image cache layer reuse feature to reduce the time required to create an image cache.

After you enable the feature, the system inspects existing image caches when you create an image cache. If an existing image cache contains an image layer that you want to use, the system reuses the image layer to reduce the time required to create the image cache.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/imc-enable-reuse: "true"   # Enables reuse of image cache layers.
spec:
  images:
  - centos:latest
  - busybox:latest
  imageCacheSize:
   25
  retentionDays:
   7

Enable the instant image cache feature

The time required to create an image cache depends on factors such as the image size and network conditions. You can enable the instant image cache feature to reduce the time required to create an image cache.

After you enable the instant image cache feature, the system creates a temporary local snapshot for the disks of the temporary elastic container instance during the creation of the image cache. After the local snapshot is created, the image cache is available for use.

Note

After the local snapshot is created, the system begins to create a standard snapshot. During the creation of the standard snapshot, you can use the local snapshot to create elastic container instances. After the standard snapshot is created, the system removes the local snapshot. This way, you can use the standard snapshot to create elastic container instances.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/imc-enable-flash: "true"   # Enables the instant image cache feature.
spec:
  images:
  - centos:latest
  - busybox:latest
  imageCacheSize:
   25
  retentionDays:
   7

Configure the size and retention period of the image cache

By default, a manually created image cache is 20 GiB in size and is permanently retained after it is created. If you want to specify the size and retention period of the image cache, you can specify the imageCacheSize and retentionDays parameters in the spec section, or add annotations.

apiVersion: eci.alibabacloud.com/v1
kind: ImageCache
metadata:
  name: imagecache-sample
  annotations:
    k8s.aliyun.com/imc-retention-days: "7"   # Specifies the retention period of the image cache.
    k8s.aliyun.com/imc-size: "25"            # Specifies the size of the image cache.
spec:
  images:
  - centos:latest
  - busybox:latest

Configure an EIP to pull images over the Internet

EIPs are public IP addresses that you can purchase and use as independent resources. When an EIP is associated with a cloud resource, the cloud resource can use the EIP to connect to the Internet. For more information, see What is an Elastic IP Address?

When you create an image cache, make sure that you are connected to the Internet before you pull images over the Internet. You can connect to the Internet by configuring a NAT gateway or configuring an EIP. If your virtual private cloud (VPC) is not associated with a NAT gateway, you can configure an EIP to pull images over the Internet. You can use one of the following methods to configure an EIP.

Note

During the creation of an image cache, the system creates a temporary elastic container instance and associates the EIP with the temporary elastic container instance. If you use an existing EIP, the EIP is retained after the image cache is created. If the system creates an EIP and associates the EIP with the temporary elastic container instance, the EIP and the temporary elastic container instance are released after the image cache is created.

  • Associate an existing EIP with the temporary elastic container instance

    apiVersion: eci.alibabacloud.com/v1
    kind: ImageCache
    metadata:
      name: imagecache-sample
      annotations:
        k8s.aliyun.com/eip-instance-id: "eip-bp1q5n8cq4p7f6dzu****"   # Associates an existing EIP with the temporary elastic container instance.
    spec:
      images:
      - centos:latest
      - busybox:latest
      imageCacheSize:
       25
      retentionDays:
       7
  • Automatically create an EIP and associate it with the temporary elastic container instance

    apiVersion: eci.alibabacloud.com/v1
    kind: ImageCache
    metadata:
      name: imagecache-sample
      annotations:
        k8s.aliyun.com/auto-create-eip: "true"                                       # Automatically creates an EIP and associates it with the temporary elastic container instance.
        k8s.aliyun.com/eip-bandwidth: "10"                                           # Specifies the bandwidth limit of the EIP. Unit: Mbit/s.
        k8s.aliyun.com/eip-internet-charge-type: PayByBandwidth                      # Specifies the metering method of the EIP.
        k8s.aliyun.com/eip-common-bandwidth-package-id: "cbwp-2zeukbj916scmj51m****" # Specifies the ID of the EIP bandwidth plan.
    spec:
      images:
      - centos:latest
      - busybox:latest
      imageCacheSize:
       25
      retentionDays:
       7