百度智能云
All Product Document

          Cloud Container Engine

          • Cloud Container Engine
          • >
          • Best Practices
          • >
          • Practice of Using Private Images in CCE Cluster

          Practice of Using Private Images in CCE Cluster

          Last Updated2020-07-20

          Private image refers to the docker image in the private repository, which can be pulled only after the user logs in (docker login) with the repository user name and password. In a CCE cluster, ImagePullSecrets shall be configured for Pod to start containers in Pod using private images in the cluster.

          1.Create a Secret for Private Image Pulling

          To create by the kubectl command line, you need to provide

          • Image repository login user name
          • Image repository login password
          • Mailing address

          • Image repository address (optional)

            Kubectl create secret docker registry--docker username=--docker-password=--docker email=--docker-server=<image repository address (optional)>

          For the private image stored in Baidu AI Cloud Image repository (image address ishub.baidubce.com/<namespace>/<image>:<tag>), the address parameter of image repository must be filled in as --docker-server='https://hub.baidubce.com'.

          Note:

          • Secret must be in the same K8S namespace as Pod that references the secret.

          After creation, you can view a secret of type kubernetes.io/dockerconfigjson throughkubectl get secret. 

          $ kubectl get secret 	 
NAME                  TYPE                                  DATA      AGE 	 
default-token-bx894   kubernetes.io/service-account-token   3         4d 	 
private-repo-auth     kubernetes.io/dockerconfigjson        1         2m

          2.Specify the Secret of the Pull Image in Pod Spec

          Specify the name of secret in pod.spec.imagePullSecrets , and then use the corresponding private image in pod.

          Take creating a Deployment as an example. Suppose a secret namedprivate-repo-authhas been created in the default namespace in the above way, the corresponding Deployment yaml file is as follows: 

          apiVersion: extensions/v1beta1 	 
kind: Deployment 	 
metadata: 	 
  name: my-nginx 	 
spec: 	 
  replicas: 1 	 
  selector: 	 
    matchLabels: 	 
      app: my-nginx 	 
  template: 	 
    metadata: 	 
      name: my-nginx 	 
      labels: 	 
        app: my-nginx 	 
    spec: 	 
      imagePullSecrets: 	 
      - name: private-repo-auth 	 
      containers: 	 
      - name: my-nginx 	 
        image: nginx

          Note:

          • You can specify the secret of multiple pull images in the same pod to pull the private images of different private repositorys.
          Previous
          CCE Practice of Accessing Public Network
          Next
          Description and Planning of CCE Cluster Network