Integration with Container Registry
Yandex Container Registry is a service for storing and distributing Docker images. Integration with it allows Managed Service for Kubernetes to run pods with applications from Docker images stored in the Container Registry registry. To interact with Container Registry, set up Docker credential helper. It allows you to access private registries via a service account.
To integrate Managed Service for Kubernetes with Container Registry:
- Create service accounts.
- Create security groups.
- Prepare the required Kubernetes resources.
- Prepare the required Container Registry resources.
- Connect to the Managed Service for Kubernetes cluster.
- Run the test app.
- Delete the resources you created.
Getting started
Go to the Yandex Cloud management console
-
In the management console
, select the appropriate cloud in the list on the left. -
At the top right, click
Create folder. -
Enter the folder name. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Enter a description of the folder.
-
Select Create a default network. This will create a network with subnets in each availability zone. Within this network, a default security group will be created, inside which all network traffic is allowed.
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
View the description of the create folder command:
yc resource-manager folder create --help
-
Create a new folder:
-
with a name and without a description:
yc resource-manager folder create \ --name new-folder
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
with a name and description:
yc resource-manager folder create \ --name new-folder \ --description "my first folder with description"
-
Create service accounts
Create service accounts:
- Service account for the resources with the
k8s.clusters.agent
andvpc.publicAdmin
roles for the folder where the Managed Service for Kubernetes cluster is created. This service account will be used to create the resources required for the Managed Service for Kubernetes cluster. - Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder with the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.
Create a service account for resources
To create a service account for creating the resources required by the Managed Service for Kubernetes cluster.
-
Write the folder ID from your CLI profile configuration to the variable:
BashPowerShellFOLDER_ID=$(yc config get folder-id)
$FOLDER_ID = yc config get folder-id
-
Create a service account:
BashPowerShellyc iam service-account create --name k8s-res-sa-$FOLDER_ID
yc iam service-account create --name k8s-res-sa-$FOLDER_ID
-
Write the service account ID to the variable:
BashPowerShellRES_SA_ID=$(yc iam service-account get --name k8s-res-sa-${FOLDER_ID} --format json | jq .id -r)
$RES_SA_ID = (yc iam service-account get --name k8s-res-sa-$FOLDER_ID --format json | ConvertFrom-Json).id
-
Assign the service account the k8s.clusters.agent role for the folder:
yc resource-manager folder add-access-binding \ --id $FOLDER_ID \ --role k8s.clusters.agent \ --subject serviceAccount:$RES_SA_ID
-
Assign the service account the vpc.publicAdmin role for the folder:
yc resource-manager folder add-access-binding \ --id $FOLDER_ID \ --role vpc.publicAdmin \ --subject serviceAccount:$RES_SA_ID
Create a service account for cluster nodes
To create a service account to be used by Managed Service for Kubernetes nodes to download Docker images from the registry:
-
Write the folder ID from your CLI profile configuration to the variable:
BashPowerShellFOLDER_ID=$(yc config get folder-id)
$FOLDER_ID = yc config get folder-id
-
Create a service account:
BashPowerShellyc iam service-account create --name k8s-node-sa-$FOLDER_ID
yc iam service-account create --name k8s-node-sa-$FOLDER_ID
-
Write the service account ID to the variable:
BashPowerShellNODE_SA_ID=$(yc iam service-account get --name k8s-node-sa-${FOLDER_ID} --format json | jq .id -r)
$NODE_SA_ID = (yc iam service-account get --name k8s-node-sa-$FOLDER_ID --format json | ConvertFrom-Json).id
-
Assign the service account the container-registry.images.puller role for the folder:
yc resource-manager folder add-access-binding \ --id $FOLDER_ID \ --role container-registry.images.puller \ --subject serviceAccount:$NODE_SA_ID
Create security groups
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
Create Kubernetes resources
Create a Managed Service for Kubernetes cluster
Create a Managed Service for Kubernetes cluster and specify the previously created service accounts in the --service-account-id
and --node-service-account-id
flags and security groups in the --security-group-ids
flag.
Run this command:
yc managed-kubernetes cluster create \
--name k8s-demo \
--network-name yc-auto-network \
--zone ru-central1-a \
--subnet-name yc-auto-subnet-0 \
--public-ip \
--service-account-id $RES_SA_ID \
--node-service-account-id $NODE_SA_ID \
--security-group-ids <security_group_IDs>
Run this command:
yc managed-kubernetes cluster create `
--name k8s-demo `
--network-name yc-auto-network `
--zone ru-central1-a `
--subnet-name yc-auto-subnet-0 `
--public-ip `
--service-account-id $RES_SA_ID `
--node-service-account-id $NODE_SA_ID `
--security-group-ids <security_group_IDs>
Create a Managed Service for Kubernetes node group
-
Make sure the Managed Service for Kubernetes cluster was created.
- In the management console
, select the folder where the Managed Service for Kubernetes cluster was created. - In the list of services, select Managed Service for Kubernetes.
- Check that your Managed Service for Kubernetes cluster was created successfully:
- Look for
Running
in the Status column. - Look for
Healthy
in the State column.
- Look for
- In the management console
-
Create a Managed Service for Kubernetes node group and specify the previously created security groups in the
--network-interface security-group-groups-ids
flag:BashPowerShellyc managed-kubernetes node-group create \ --name k8s-demo-ng \ --cluster-name k8s-demo \ --platform standard-v3 \ --cores 2 \ --memory 4 \ --core-fraction 50 \ --disk-type network-ssd \ --fixed-size 2 \ --network-interface subnets=yc-auto-subnet-0,ipv4-address=nat,security-group-ids=[<security_group_IDs>] \ --async
yc managed-kubernetes node-group create ` --name k8s-demo-ng ` --cluster-name k8s-demo ` --platform standard-v3 ` --cores 2 ` --memory 4 ` --core-fraction 50 ` --disk-type network-ssd ` --fixed-size 2 ` --network-interface subnets=yc-auto-subnet-0,ipv4-address=nat,security-group-ids=[<security_group_IDs>] ` --async
Create Container Registry resources
Create a registry
Create a container registry:
yc container registry create --name yc-auto-cr
Configure Docker credential helper
To facilitate authentication in Container Registry, configure a Docker credential helper. It enables you to use private Yandex Cloud registries without running the docker login
command.
To configure a credential helper, run the following command:
yc container registry configure-docker
Prepare a Docker image
Build a Docker image and push it to the registry.
-
Create a Dockerfile named
hello.dockerfile
and add the following lines to it:FROM ubuntu:latest CMD echo "Hi, I'm inside"
-
Assemble the Docker image.
-
Get the ID of the previously created registry and write it to the variable:
BashPowerShellREGISTRY_ID=$(yc container registry get --name yc-auto-cr --format json | jq .id -r)
$REGISTRY_ID = (yc container registry get --name yc-auto-cr --format json | ConvertFrom-Json).id
-
Build the Docker image:
docker build . -f hello.dockerfile -t cr.yandex/$REGISTRY_ID/ubuntu:hello
-
Push the Docker image to the registry:
docker push cr.yandex/${REGISTRY_ID}/ubuntu:hello
-
-
Make sure the Docker image was pushed to the registry:
yc container image list
Result:
+----------------------+---------------------+-----------------------------+-------+-----------------+ | ID | CREATED | NAME | TAGS | COMPRESSED SIZE | +----------------------+---------------------+-----------------------------+-------+-----------------+ | crpa2mf008mp******** | 2019-11-20 11:52:17 | crp71hkgiolp********/ubuntu | hello | 27.5 MB | +----------------------+---------------------+-----------------------------+-------+-----------------+
Connect to the Managed Service for Kubernetes cluster
Install kubectl
Run the test app
Start the pod with the app from the Docker image and make sure that no additional authentication in Container Registry was required to push the Docker image.
-
Run the pod with the app from the Docker image:
kubectl run --attach hello-ubuntu --image cr.yandex/${REGISTRY_ID}/ubuntu:hello
-
Find the running pod to see its full name:
kubectl get po
Result:
NAME READY STATUS RESTARTS AGE hello-ubuntu-5847fb9***-***** 0/1 Completed 3 61s
-
Check the logs of the container running on this pod:
kubectl logs hello-ubuntu-5847fb9***-*****
Result:
Hi, I'm inside
The pod pushed the Docker image with no additional authentication on the Container Registry side.
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:
-
Delete the Managed Service for Kubernetes cluster:
yc managed-kubernetes cluster delete --name k8s-demo
-
Delete the service accounts:
Warning
Make sure not to delete any service accounts before deleting the Managed Service for Kubernetes cluster.
-
Delete the service account created for resources:
yc iam service-account delete --id $RES_SA_ID
-
Delete the service account created for Managed Service for Kubernetes nodes:
yc iam service-account delete --id $NODE_SA_ID
-
-
Delete resources Container Registry.
-
Find the name of the Docker image pushed to the registry:
BashPowerShellIMAGE_ID=$(yc container image list --format json | jq .[0].id -r)
$IMAGE_ID = (yc container image list --format json | ConvertFrom-Json).id
-
Delete the Docker image:
yc container image delete --id $IMAGE_ID
-
Delete the registry:
yc container registry delete --name yc-auto-cr
-