百度智能云
All Product Document

          Cloud Container Engine

          • Cloud Container Engine
          • >
          • Operation Guide
          • >
          • Working Load
          • >
          • Pull Container Image Without Password

          Pull Container Image Without Password

          Last Updated2022-01-14

          This document introduces how to install and configure cce-image-plugin to pull the image of the CCR private warehouse to save the repetitive work of explicitly configuring ImagePullSecret in the cluster resource YAML. For the working mechanism, see
          Configure Pod magepullsecrets through serviceAccount.

          Preparation

          1. Create a special sub-user

          To use cce-image-plugin, you need to configure the user’s ak and sk. Baidu AI Cloud recommends you apply for a dedicated sub-user and use ak and sk to help control the privilege scope.

          1. Add privileges to the sub-user

          The sub-user should have the privileges of access to the CCR service under the policy level of at least CCROperatePolicy.

          For details, see: [How to Add Privileges Policy to Sub-users](https://cloud.baidu.com/doc/CCR/s/nkkdpohsj#How to Add Privileges Policy to Sub-users).

          1. Enable the CCR service. Create a CCR account.

          Go to the CCR page on the console and follow the prompts to create a CCR account. For details, see Enable CCR Service.

          1. Add image warehouse privileges

          Grant the sub-user the namespace privileges. For details, see: Add Image Privileges.

          1. Create ak and sk

          To create sub-user’s ak & sk, see the figure below for the operation path.

          image2021-4-15_19-59-42.png

          Activation Steps

          Deploy Plugin

          • Select Cloud Container Engine CCE -> Helm Template -> Baidu AI Cloud Template in sequence.
          • Search for template by template name cce-image-plugin.
          • Click Install and enter the corresponding parameters.
          * Instance name: plug-in instance name, e.g., imagepull;
* Deploy cluster: select the cluster for which you need to deploy the image plugin;
* accessKey: sub-user ak;
* secretKey: sub-user sk;
* serviceAccount: the serviceAccount used by the plug-in;
* namespace: The cluster namespace used by the plug-in.

When a pod is created in the specified namespace with the specified serviceAccount, the spec.imagePullSecrets field is set automatically.
If the resource has specified imagePullSecrets, the secret generated by the plug-in is not injected into the resource. That is, the resource cannot use the secret-free pull feature.
          Previous
          Create Working Load by Private Images
          Next
          Traffic Access