| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2021-10-21 |
kubernetes, iks, registry, pull secret, secrets |
containers |
{{site.data.keyword.attribute-definition-list}}
{: #images}
A Docker image is the basis for every container that you create with {{site.data.keyword.containerlong}}. {: shortdesc}
An image is created from a Dockerfile, which is a file that contains instructions to build the image. A Dockerfile might reference build artifacts in its instructions that are stored separately, such as an app, the app's configuration, and its dependencies.
Deploying containers from an {{site.data.keyword.registrylong_notm}} image to the default Kubernetes namespace
{: #namespace}
You can deploy containers to your cluster from an IBM-provided public image or a private image that is stored in your {{site.data.keyword.registrylong_notm}} namespace. For more information about how your cluster accesses registry images, see Understanding how your cluster is authorized to pull images from {{site.data.keyword.registrylong_notm}}. {: shortdesc}
Before you begin:
- Set up a namespace in {{site.data.keyword.registrylong_notm}} and push images to this namespace.
- Create a Kubernetes cluster.
- Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
To deploy a container into the default namespace of your cluster:
-
Create a deployment configuration file that is named
<deployment>.yaml. -
Define the deployment and the image to use from your namespace in {{site.data.keyword.registrylong_notm}}.
apiVersion: apps/v1 kind: Deployment metadata: name: <deployment> spec: replicas: <number_of_replicas> selector: matchLabels: app: <app_name> template: metadata: labels: app: <app_name> spec: containers: - name: <app_name> image: <region>.icr.io/<namespace>/<image>:<tag>
{: codeblock}
<deployment>: Give your deployment a name.<number_of_replicas>: Enter the number of replica pods that the deployment creates.app: <app_name>: Use the name of your app as a label for the container.name: <app_name>: Give your container a name, such as the name of yourapplabel.image: <region>.icr.io/namespace>/image>:tag>: Replace the image URL variables with the information for your image: :region>: The regional {{site.data.keyword.registrylong_notm}} API endpoint for the registry domain. To list the domain for the region that you are logged in to, runibmcloud cr api. :namespace>: The registry namespace. To get your namespace information, runibmcloud cr namespace-list. :image>:tag>: The image and tag that you want to use for your container. To list the images that are available in your registry namespace, runibmcloud cr images. -
Create the deployment in your cluster.
kubectl apply -f <deployment>.yaml
{: pre}
{: #pod_imagePullSecret}
If the cluster administrator did not store the image pull secret in the Kubernetes service account, all deployments that do not specify a service account cannot use the image pull secret to deploy containers. Instead, you can define an image pull secret in your pod deployment. When you refer to the image pull secret in a pod deployment, the image pull secret is valid for this pod only and cannot be shared across pods in the Kubernetes namespace. {: shortdesc}
Before you begin
- Create an image pull secret to access images in other registries or Kubernetes namespaces other than
default. - Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
To refer to the image pull secret in your pod deployment,
-
Create a pod configuration file that is named
mypod.yaml. -
Define the pod and the image pull secret to access images in {{site.data.keyword.registrylong_notm}}.
To access a private image,
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: <container_name> image: <region>.icr.io/<namespace_name>/<image_name>:<tag> imagePullSecrets: - name: <secret_name>
{: codeblock}
To access an {{site.data.keyword.cloud_notm}} public image,
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: <container_name> image: icr.io/<image_name>:<tag> imagePullSecrets: - name: <secret_name>
{: codeblock}
container_name>: The name of the container to deploy to your cluster.namespace_name>: The registry namespace where the image is stored. To list available namespaces, runibmcloud cr namespace-list.image_name>: The name of the image to use. To list available images in an {{site.data.keyword.cloud_notm}} account, runibmcloud cr image-list.tag>: The version of the image that you want to use. If no tag is specified, the image that is tagged latest is used by default.<secret_name>: The name of the image pull secret that you created earlier. -
Save your changes.
-
Create the deployment in your cluster.
kubectl apply -f mypod.yaml
{: pre}
{: #push-images}
After the cluster administrator sets up an image registry with {{site.data.keyword.registrylong_notm}}, you can securely store and share Docker images with other users by adding images to your namespace. {: shortdesc}
For example, you might pull an image from any private or public registry source, and then tag it for later use in {{site.data.keyword.registrylong_notm}}. Or, you might push a Docker image that you work with to your namespace so that other users can access the image. To get started, see Adding images to your namespace.
{: #va-images}
Vulnerability Advisor checks the security status of container images that are provided by IBM, third parties, or added to your organization's {{site.data.keyword.registrylong_notm}} namespace. {: shortdesc}
When you add an image to a namespace, the image is automatically scanned by Vulnerability Advisor to detect security issues and potential vulnerabilities. If security issues are found, instructions are provided to help fix the reported vulnerability. To get started, see Managing image security with Vulnerability Advisor.
{: #trusted_images}
You can build containers from trusted images that are signed and stored in {{site.data.keyword.registrylong_notm}}, and prevent deployments from unsigned or vulnerable images. {: shortdesc}
- Sign images for trusted content. After you set up trust for your images, you can manage trusted content and signers that can push images to your registry.
- To enforce a policy so that only signed images can be used to build containers in your cluster, install the open source Portieris project.
- Cluster users can deploy apps that are built from trusted images.
{: #portieris-image-sec}
When you enable image security enforcement in your cluster, you install the open-source Portieris Kubernetes project. Then, you can create image policies to prevent pods that do not meet the policies, such as unsigned images, from running in your cluster. {: shortdesc}
For more information, see the Portieris documentation{: external}.
There is a known issue{: external} when updating a cluster from {{site.data.keyword.openshiftshort}} 4.7 to {{site.data.keyword.openshiftshort}} 4.8. Do not upgrade your cluster to from version 4.7 to version 4.8 if it has image security enforcement enabled. {: important}
Mutated images: By default, Portieris uses the MutatingAdmissionWebhook admission controller to mutate your image to refer to the image by a digest instead of a tag. However, you might have some deployment technology that rejects a mutated image. If so, you can use the image mutation option{: external} and policy{: external} to change the default behavior.
{: note}
{: #portieris-enable}
Kubernetes version 1.18 or later: You can enable or disable image security enforcement for your cluster from the CLI or console. For earlier versions, see the Portieris documentation{: external}. {: shortdesc}
{: #portieris-enable-cli}
See the following commands.
{: #portieris-enable-ui}
- From the Kubernetes clusters console{: external}, select your cluster.
- From the Overview tab, in the Summary pane, find the Image security enforcement field and click Enable or Disable.
{: #portieris-default-policies}
When you enable image security enforcement, {{site.data.keyword.containerlong_notm}} automatically creates certain image policies in your cluster. When you disable the feature, the underlying ClusterImagePolicy CRD is removed, which removes all of the default image policies and any custom images policies that you created.
{: shortdesc}
- Image policies with the name
ibm-signed-image-enforcementrestrict the images that are run in the namespace to {{site.data.keyword.containerlong_notm}} images only. Do not modify these image policies. Any changes that you make are overwritten within a few minutes. - Other image policies, such as
defaultordefault-allow-all, permit images that are not restricted by another image policy. You can modify these image policies and your changes are preserved, but do not rename the image policy. If you rename the policy, more policies with the default name and settings are created.
To review the image policies in your cluster,
Before you begin
-
List the image policies that apply globally to the cluster. For an example configuration, see the Portieris policy documentation{: external}.
kubectl get ClusterImagePolicy
{: pre}
-
List the image policies that apply to particular namespaces within the cluster. For an example configuration, see the Portieris policy documentation{: external}.
kubectl get ImagePolicy --all-namespaces
{: pre}