Integration with Container Registry
To integrate Kubernetes with Container Registry, create the following resources: service accounts for managing resources and respective access permissions, a Kubernetes cluster, a node group, and a Docker registry and image. To facilitate authentication, configure the Docker Credential helper and make sure that a pod with an app from Container Registry launches using a service account with no additional authentication.
- Create service accounts
- Prepare the necessary Kubernetes resources
- Prepare the necessary Container Registry resources
- Connect to the Kubernetes cluster
- Run the test app
- Delete the created resources
Before you start
Go to the Yandex.Cloud management console and select the folder where you want to perform the operations. If there is no such folder, create one:
-
Click Create folder in the Home page of the management console.
-
Enter the folder name.
- The name must be unique within the folder.
- The name may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter. The last character can't be a hyphen.
- The maximum length of the name is 63 characters.
-
Select Create a default network. A network is created with subnets in each availability zone.
-
Click Create.
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
-
See a description of the create folder command:
$ yc resource-manager folder create --help
-
Create a new folder:
-
with a name and without a description:
$ yc resource-manager folder create \ --name new-folder
- The name must be unique within the folder.
- The name may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter. The last character can't be a hyphen.
- The maximum length of the name is 63 characters.
-
with a name and description:
$ yc resource-manager folder create \ --name new-folder \ --description "my first folder with description"
-
Create service accounts
Create service accounts:
- A service account for resources with the editor role for the folder where the Kubernetes cluster will be created. The resources that the Kubernetes cluster needs will be created on behalf of this account.
- A service account for nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Nodes will download the Docker images they require from the registry on behalf of this account.
Create a service account for resources
To create a service account for making the resources required by the Kubernetes cluster:
-
Write the folder ID from your CLI profile configuration to the variable:
BashPowerShell$ FOLDER_ID=$(yc config get folder-id)
> $FOLDER_ID = yc config get folder-id
-
Create a service account:
BashPowerShell$ yc iam service-account create --name k8s-res-sa-$FOLDER_ID
> yc iam service-account create --name k8s-res-sa-$FOLDER_ID
-
Write the service account ID to the variable:
BashPowerShell$ RES_SA_ID=$(yc iam service-account get --name k8s-res-sa-${FOLDER_ID} --format json | jq .id -r)
> $RES_SA_ID = (yc iam service-account get --name k8s-res-sa-$FOLDER_ID --format json | ConvertFrom-Json).id
-
Assign to the service account the editor role for the folder:
yc resource-manager folder add-access-binding --id $FOLDER_ID --role editor --subject serviceAccount:$RES_SA_ID
Create a service account for nodes
To create a service account that lets nodes download the necessary Docker images from the registry:
-
Write the folder ID from your CLI profile configuration to the variable:
BashPowerShell$ FOLDER_ID=$(yc config get folder-id)
> $FOLDER_ID = yc config get folder-id
-
Create a service account:
BashPowerShell$ yc iam service-account create --name k8s-node-sa-$FOLDER_ID
> yc iam service-account create --name k8s-node-sa-$FOLDER_ID
-
Write the service account ID to the variable:
BashPowerShell$ NODE_SA_ID=$(yc iam service-account get --name k8s-node-sa-${FOLDER_ID} --format json | jq .id -r)
> $NODE_SA_ID = (yc iam service-account get --name k8s-node-sa-$FOLDER_ID --format json | ConvertFrom-Json).id
-
Assign to the service account the container-registry.images.puller role for the folder:
yc resource-manager folder add-access-binding --id $FOLDER_ID --role container-registry.images.puller --subject serviceAccount:$NODE_SA_ID
Prepare Kubernetes resources
Create a Kubernetes cluster
Create a Kubernetes cluster and specify the previously created service accounts in the --service-account-id
and --node-service-account-id
parameters.
Run the command:
$ yc managed-kubernetes cluster create \
--name k8s-demo --network-name yc-auto-network \
--zone ru-central1-a --subnet-name yc-auto-subnet-0 \
--public-ip \
--service-account-id $RES_SA_ID \
--node-service-account-id $NODE_SA_ID
Run the command:
> yc managed-kubernetes cluster create `
--name k8s-demo --network-name yc-auto-network `
--zone ru-central1-a --subnet-name yc-auto-subnet-0 `
--public-ip `
--service-account-id $RES_SA_ID `
--node-service-account-id $NODE_SA_ID
Create a node group
-
Make sure the Kubernetes cluster was created.
- In the management console, select the folder where you created the Kubernetes cluster.
- In the list of services, select Managed Service for Kubernetes.
- Make sure that the Kubernetes cluster was created:
- The Status column value must be
Running
. - The Health column value must be
Healthy
.
- The Status column value must be
-
Create a node group:
BashPowerShell$ yc managed-kubernetes node-group create \ --name k8s-demo-ng \ --cluster-name k8s-demo \ --platform-id standard-v2 \ --public-ip \ --cores 2 \ --memory 4 \ --core-fraction 50 \ --disk-type network-ssd \ --fixed-size 2 \ --location subnet-name=yc-auto-subnet-0,zone=ru-central1-a \ --async
> yc managed-kubernetes node-group create ` --name k8s-demo-ng ` --cluster-name k8s-demo ` --platform-id standard-v2 ` --public-ip ` --cores 2 ` --memory 4 ` --core-fraction 50 ` --disk-type network-ssd ` --fixed-size 2 ` --location subnet-name=yc-auto-subnet-0,zone=ru-central1-a ` --async
Prepare Container Registry resources
Create a registry
Create a container registry:
yc container registry create --name yc-auto-cr
Configure the Docker Credential helper
To facilitate authentication in Container Registry, configure the Docker Credential helper. It lets you use private Yandex.Cloud registries without running the docker login
command.
To configure the Credential helper, run the following command:
yc container registry configure-docker
Prepare a Docker image
Build a Docker image and push it to the registry:
-
Create a Dockerfile named
hello.dockerfile
and add the following lines to it:FROM ubuntu:latest CMD echo "Hi, I'm inside"
-
Build a Docker image:
-
Get the ID of the previously created registry and write it to the variable:
BashPowerShell$ REGISTRY_ID=$(yc container registry get --name yc-auto-cr --format json | jq .id -r)
> $REGISTRY_ID = (yc container registry get --name yc-auto-cr --format json | ConvertFrom-Json).id
-
Build a Docker image:
docker build . -f hello.dockerfile -t cr.yandex/$REGISTRY_ID/ubuntu:hello
-
Push the Docker image to the registry:
docker push cr.yandex/${REGISTRY_ID}/ubuntu:hello
-
-
Make sure the Docker image was pushed to the registry:
yc container image list +----------------------+---------------------+-----------------------------+-------+-----------------+ | ID | CREATED | NAME | TAGS | COMPRESSED SIZE | +----------------------+---------------------+-----------------------------+-------+-----------------+ | crpa2mf008mpjig73rp6 | 2019-11-20 11:52:17 | crp71hkgiolp6677hg9i/ubuntu | hello | 27.5 MB | +----------------------+---------------------+-----------------------------+-------+-----------------+
Connect to the Kubernetes cluster
To work with your Kubernetes cluster using kubectl, add the Kubernetes cluster credentials to the kubectl configuration file.
-
Run the command:
yc managed-kubernetes cluster get-credentials --external --name k8s-demo
-
Check the kubectl configuration:
kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED ...
- By default, credentials are added to the
$HOME/.kube/config
directory. - If you need to change the configuration location, use the
--kubeconfig <file path>
flag.
- By default, credentials are added to the
Run the test app
Start the pod with the app from the Docker image and make sure that no additional authentication in Container Registry was required to push the Docker image.
-
Run the pod with the app from the Docker image:
kubectl run --attach hello-ubuntu --image cr.yandex/${REGISTRY_ID}/ubuntu:hello
-
Find the running pod to see its full name:
kubectl get po NAME READY STATUS RESTARTS AGE hello-ubuntu-5847fb96b4-54g48 0/1 Completed 3 61s
-
Check the logs of the container running on this pod:
kubectl logs hello-ubuntu-5847fb96b4-54g48 Hi, I'm inside
The pod pushed the Docker image with no additional authentication on the Container Registry side.
Delete the created resources
-
Delete the Kubernetes cluster:
yc managed-kubernetes cluster delete --name k8s-demo
-
Delete the service accounts:
Warning
Make sure you don't delete any service accounts before deleting the Kubernetes cluster.
-
Delete the service account created for resources:
yc iam service-account delete --id $RES_SA_ID
-
Delete the service account created for nodes:
yc iam service-account delete --id $NODE_SA_ID
-
-
Delete the Container Registry resources:
-
Find the name of the Docker image pushed to the registry:
BashPowerShell$ IMAGE_ID=$(yc container image list --format json | jq .[0].id -r)
> $IMAGE_ID = (yc container image list --format json | ConvertFrom-Json).id
-
Delete the Docker image:
yc container image delete --id $IMAGE_ID
-
Delete the registry:
yc container registry delete --name yc-auto-cr
-