Kubernetes Container Image Pull Concepts: Difference between revisions
Line 31: | Line 31: | ||
==Configure imagePullSecrets== | ==Configure imagePullSecrets== | ||
{{External|https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod}} | {{External|https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod}} | ||
Also see {{Internal|Kubernetes_Pod_Manifest#imagePullSecrets|Pod Manifest | <tt>imagePullSecrets</tt>}} | Also see {{Internal|Kubernetes_Pod_Manifest#imagePullSecrets|Pod Manifest | <tt><b>imagePullSecrets</b></tt>}} | ||
==Pre-pulled Images== | ==Pre-pulled Images== | ||
{{External|https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images}} | {{External|https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images}} | ||
{{Internal|Kubernetes_Cluster_Configuration_Concepts#imagePullSecrets|Kubernetes Cluster Configuration Concepts - imagePullSecrets}} | {{Internal|Kubernetes_Cluster_Configuration_Concepts#imagePullSecrets|Kubernetes Cluster Configuration Concepts - imagePullSecrets}} |
Revision as of 01:23, 13 April 2021
External
Internal
Overview
A pod's containers pull their images from their respective repositories while the pod is in Pending phase. Technically, it is the kubelet that performs the image pulling on behalf of the pod.
Pull Policy
The pull policy is configured on a per-container basis using the imagePullPolicy tag in the pod manifest. "imagePullPolicy" is configuration that tells the container runtime how to pull the container image prior to starting the container.
There are three possible values: Always
, IfNotPresent
and Never
. This attribute is optional, and if it is not specified, it is inferred based on the image tag. The default is Always
if ":latest" tag is specified, or IfNotPresent
otherwise. Note that if the attribute is explicitly set to "IfNotPresent" or "Never", it will be honored even if the image tag is ":latest".
The pull policy can be also enforced with the AlwaysPullImages admission controller.
Private Registries
Conceptually, there could be several ways to configure access to private registries for pods:
- An entire node can be configured to authenticate to one or more private registries. If this option is used, all pods scheduled on that node can read any configured private registries. This method requires the involvement of the cluster administrator, who needs to configured the nodes, but isolates individual pods from registry configuration concerns. More details in Node-Level Configuration.
- Pods can be individually configured to authenticate to private registries, by specifying imagePullSecrets on specific pods. Only the pods that provide suitable keys can access the private repository. This approach involves creating application-specific Kubernetes resources (dedicated secrets) and also modification of the pod manifests. More details in Configure imagePullSecrets.
The images can also be pre-pulled on nodes, and all pods scheduled on the node can use the cached images. However, this requires root access to all nodes to setup. More details in Pre-pulled Images.
Node-Level Configuration
Configure imagePullSecrets
Also see