Kubernetes Container Image Pull Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 21: Line 21:
{{External|https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/}}
{{External|https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/}}
Conceptually, there could be several ways to configure access to private registries for pods:
Conceptually, there could be several ways to configure access to private registries for pods:
* An entire node can be configured to authenticate to one or more private registry. If this option is used, all pods scheduled on that node can read any configured private registries. This method requires the involvement of the cluster administrator, who needs to configured the nodes.
* An entire node can be configured to authenticate to one or more private registry. If this option is used, all pods scheduled on that node can read any configured private registries. This method requires the involvement of the cluster administrator, who needs to configured the nodes, but isolates individual pods from registry configuration concerns.
* Pods can be individually configured to authenticate to private registries, by specifying [[Kubernetes_Cluster_Configuration_Concepts#imagePullSecrets|imagePullSecrets]] on specific pods. Only the pods that provide suitable keys can access the private repository.
* Pods can be individually configured to authenticate to private registries, by specifying [[Kubernetes_Cluster_Configuration_Concepts#imagePullSecrets|imagePullSecrets]] on specific pods. Only the pods that provide suitable keys can access the private repository.

Revision as of 17:40, 26 August 2020

External

Internal

Overview

A pod's containers pull their images from their respective repositories while the pod is in Pending phase. Technically, it is the kubelet that performs the image pulling on behalf of the pod.

Pull Policy

The pull policy is configured on a per-container basis using the imagePullPolicy tag in the pod manifest.

There are three possible values: Always, IfNotPresent and Never. This attribute is optional, and if it is not specified, it is inferred based on the image tag. The default is Always if ":latest" tag is specified, or IfNotPresent otherwise.

The pull policy can be also enforced with the AlwaysPullImages admission controller.

Private Registries

https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Conceptually, there could be several ways to configure access to private registries for pods:

  • An entire node can be configured to authenticate to one or more private registry. If this option is used, all pods scheduled on that node can read any configured private registries. This method requires the involvement of the cluster administrator, who needs to configured the nodes, but isolates individual pods from registry configuration concerns.
  • Pods can be individually configured to authenticate to private registries, by specifying imagePullSecrets on specific pods. Only the pods that provide suitable keys can access the private repository.