[DOCKER] Try creating a Kubernetes pod from a GitLab Container Registry image

I will summarize the procedure when I tried to create a Kubernetes pod from the image of the container registry of GitLab for skill acquisition. * The red part in the figure below. The image to be pulled for trial includes nginx. k8s.png

Prerequisites

・ Kubernetes cluster has been built ・ GitLab has been built ・ The version of the environment I tried is as follows  CentOS:7.3  Kubernetes:1.18.2  Calico:3.13.3  Docker:1.13.1-109  GitLab:11.6.8

Reference material

https://docs.docker.com/registry/insecure/ https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

1. Pre-configuration for Docker and K8s

As a preparation, place the certificate and set the access information to the container registry.

Placement of certificate in Docker

Place the certificate to access the container registry from Docker.

Implemented on each K8s node


# sudo mkdir -p /etc/docker/certs.d/registry.test01.com
# sudo cp cert.crt /etc/docker/certs.d/registry.test01.com/ca.crt

cert.crt ・ ・ ・ Certificate used to access GitLab Container Registry

Docker non-secure registry settings

If the certificate you placed was a self-signed certificate, you had to configure Docker to allow it.

/etc/docker/daemon.json


{
  "insecure-registries": ["registry.test01.com"]
}

Restart Docker for it to take effect.

systemctl restart docker

Registering container registry access information in K8s

Register the information for accessing the container registry in K8s. First, log in to the container registry from Docker.

k8s master node


#docker login registry.test01.com
Username: <Username when accessing the container registry>
Password: <Password corresponding to the above user name>
Login Succeeded

Check the config.json file generated by the above login.

python


# cat ~/.docker/config.json
{
	"auths": {
		"registry.test01.com": {
			"auth": "***************************="
		}
	}

Create a Secret for the cluster connection that contains the authentication token.

# kubectl create secret docker-registry regcred --docker-server=registry.test01.com --docker-username=<Container registry username> --docker-password=<Container registry usernameに対応するパスワード>
secret/regcred created

2. Creating a pod that uses the image of the container registry

Set the service settings for accessing the container via the network and the pod settings that use the container image.

Service (nodePort) settings for access from outside the cluster

Create access information to the pod as follows. Associate the external 30080 port with the nginx port 80 on the container side.

testapp01-svc.yaml


apiVersion: v1
kind: Service
metadata:
  name: testapp01-np
spec:
  selector:
   app:testapp01 ← Match this with the definition of pod
  ports:
  - targetPort:80 ← Container receiving port(nginx)
    port: 8080
    nodePort:30080 ← Port used when accessing from the outside. "Node IP" when accessing from the outside:Specify the port number specified here.
    protocol: "TCP"
  type: NodePort

Apply the above file.

python


# kubectl apply -f testapp01-svc.yaml

Check the application result.

# kubectl get services testapp01-np
NAME           TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
testapp01-np   NodePort   xx.xx.xx.xx      <none>        8080:30080/TCP   4d2h

Creating a pod using an image of a container registry

Create an Ipod manifest file as shown below.

testapp01.yaml



apiVersion: v1
kind: Pod
metadata:
  name: testapp01
  labels:
    app:testapp01 ← Label for linking with services
spec:
  containers:
  - name: testapp01-container
    image: registry.test01.com/test/testapp01:latest ← Image to apply
    ports:
    - containerPort:80 ← App port used in the container
  imagePullSecrets:
  - name:regcred ← Secret created in preparation for deployment

Apply the above file.

# kubectl create -f testapp01.yaml
pod/testapp01 created

Make sure the pod is "Running".

# kubectl get pod testapp01
NAME        READY   STATUS    RESTARTS   AGE
testapp01   1/1     Running   0          4s

Finally, try accessing the app and check the operation. This time, I accessed the following URL from an external browser and confirmed it.

http://[podが起動しているノードのIP]:30080

Summary

It took a long time to investigate because I had to deal with it because I used a self-signed certificate, but I was able to link GitLab, the container registry, and K8s relatively easily.

Recommended Posts

Try creating a Kubernetes pod from a GitLab Container Registry image
How to create a kubernetes pod from python code
Try creating a CRUD function
Try to extract a character string from an image with Python3
Make a Santa classifier from a Santa image
Video acquisition / image shooting from a webcam
Try to beautify with Talking Head Anime from a Single Image [python preparation]