richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5038 Commits
29 Branches
81 Tags
147 MiB
Tree: 324106e91e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '324106e91e'
${ noResults }
kubespray/roles/kubernetes-apps/registry/README.md

272 lines
8.1 KiB
Raw Normal View History

Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
fix broken link (#5023)
5 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Fix label of registry in README
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Fix label of registry in README
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Fix label of registry in README
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Fix label of registry in README
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Fix label of registry in README
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Add support for k8s v1.16.0-beta.2 (#5148) Cleaned up deprecated APIs: apps/v1beta1 apps/v1beta2 extensions/v1beta1 for ds,deploy,rs Add workaround for deploying helm using incompatible deployment manifest. Change-Id: I78b36741348f47a999df3841ee63cf4e6f377830
5 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Update nginx image to latest (#5590)
4 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Fix label of registry in README
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
6 years ago
Registry Addon Fixup
6 years ago
  1. Private Docker Registry in Kubernetes
  2. =====================================
  4. Kubernetes offers an optional private Docker registry addon, which you can turn
  5. on when you bring up a cluster or install later. This gives you a place to
  6. store truly private Docker images for your cluster.
  8. How it works
  9. ------------
  11. The private registry runs as a `Pod` in your cluster. It does not currently
  12. support SSL or authentication, which triggers Docker's "insecure registry"
  13. logic. To work around this, we run a proxy on each node in the cluster,
  14. exposing a port onto the node (via a hostPort), which Docker accepts as
  15. "secure", since it is accessed by `localhost`.
  17. Turning it on
  18. -------------
  20. Some cluster installs (e.g. GCE) support this as a cluster-birth flag. The
  21. `ENABLE_CLUSTER_REGISTRY` variable in `cluster/gce/config-default.sh` governs
  22. whether the registry is run or not. To set this flag, you can specify
  23. `KUBE_ENABLE_CLUSTER_REGISTRY=true` when running `kube-up.sh`. If your cluster
  24. does not include this flag, the following steps should work. Note that some of
  25. this is cloud-provider specific, so you may have to customize it a bit.
  27. ### Make some storage
  29. The primary job of the registry is to store data. To do that we have to decide
  30. where to store it. For cloud environments that have networked storage, we can
  31. use Kubernetes's `PersistentVolume` abstraction. The following template is
  32. expanded by `salt` in the GCE cluster turnup, but can easily be adapted to
  33. other situations:
  35. <!-- BEGIN MUNGE: EXAMPLE registry-pv.yaml.in -->
  36. ``` yaml
  37. kind: PersistentVolume
  38. apiVersion: v1
  39. metadata:
  40. name: kube-system-kube-registry-pv
  41. spec:
  42. {% if pillar.get('cluster_registry_disk_type', '') == 'gce' %}
  43. capacity:
  44. storage: {{ pillar['cluster_registry_disk_size'] }}
  45. accessModes:
  46. - ReadWriteOnce
  47. gcePersistentDisk:
  48. pdName: "{{ pillar['cluster_registry_disk_name'] }}"
  49. fsType: "ext4"
  50. {% endif %}
  51. ```
  52. <!-- END MUNGE: EXAMPLE registry-pv.yaml.in -->
  54. If, for example, you wanted to use NFS you would just need to change the
  55. `gcePersistentDisk` block to `nfs`. See
  56. [here](https://kubernetes.io/docs/concepts/storage/volumes/) for more details on volumes.
  58. Note that in any case, the storage (in the case the GCE PersistentDisk) must be
  59. created independently - this is not something Kubernetes manages for you (yet).
  61. ### I don't want or don't have persistent storage
  63. If you are running in a place that doesn't have networked storage, or if you
  64. just want to kick the tires on this without committing to it, you can easily
  65. adapt the `ReplicationController` specification below to use a simple
  66. `emptyDir` volume instead of a `persistentVolumeClaim`.
  68. Claim the storage
  69. -----------------
  71. Now that the Kubernetes cluster knows that some storage exists, you can put a
  72. claim on that storage. As with the `PersistentVolume` above, you can start
  73. with the `salt` template:
  75. <!-- BEGIN MUNGE: EXAMPLE registry-pvc.yaml.in -->
  76. ``` yaml
  77. kind: PersistentVolumeClaim
  78. apiVersion: v1
  79. metadata:
  80. name: kube-registry-pvc
  81. namespace: kube-system
  82. spec:
  83. accessModes:
  84. - ReadWriteOnce
  85. resources:
  86. requests:
  87. storage: {{ pillar['cluster_registry_disk_size'] }}
  88. ```
  89. <!-- END MUNGE: EXAMPLE registry-pvc.yaml.in -->
  91. This tells Kubernetes that you want to use storage, and the `PersistentVolume`
  92. you created before will be bound to this claim (unless you have other
  93. `PersistentVolumes` in which case those might get bound instead). This claim
  94. gives you the right to use this storage until you release the claim.
  96. Run the registry
  97. ----------------
  99. Now we can run a Docker registry:
  101. <!-- BEGIN MUNGE: EXAMPLE registry-rc.yaml -->
  102. ``` yaml
  103. apiVersion: v1
  104. kind: ReplicationController
  105. metadata:
  106. name: kube-registry-v0
  107. namespace: kube-system
  108. labels:
  109. k8s-app: registry
  110. version: v0
  111. spec:
  112. replicas: 1
  113. selector:
  114. k8s-app: registry
  115. version: v0
  116. template:
  117. metadata:
  118. labels:
  119. k8s-app: registry
  120. version: v0
  121. spec:
  122. containers:
  123. - name: registry
  124. image: registry:2
  125. resources:
  126. limits:
  127. cpu: 100m
  128. memory: 100Mi
  129. env:
  130. - name: REGISTRY_HTTP_ADDR
  131. value: :5000
  132. - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
  133. value: /var/lib/registry
  134. volumeMounts:
  135. - name: image-store
  136. mountPath: /var/lib/registry
  137. ports:
  138. - containerPort: 5000
  139. name: registry
  140. protocol: TCP
  141. volumes:
  142. - name: image-store
  143. persistentVolumeClaim:
  144. claimName: kube-registry-pvc
  145. ```
  146. <!-- END MUNGE: EXAMPLE registry-rc.yaml -->
  148. Expose the registry in the cluster
  149. ----------------------------------
  151. Now that we have a registry `Pod` running, we can expose it as a Service:
  153. <!-- BEGIN MUNGE: EXAMPLE registry-svc.yaml -->
  154. ``` yaml
  155. apiVersion: v1
  156. kind: Service
  157. metadata:
  158. name: kube-registry
  159. namespace: kube-system
  160. labels:
  161. k8s-app: registry
  162. kubernetes.io/name: "KubeRegistry"
  163. spec:
  164. selector:
  165. k8s-app: registry
  166. ports:
  167. - name: registry
  168. port: 5000
  169. protocol: TCP
  170. ```
  171. <!-- END MUNGE: EXAMPLE registry-svc.yaml -->
  173. Expose the registry on each node
  174. --------------------------------
  176. Now that we have a running `Service`, we need to expose it onto each Kubernetes
  177. `Node` so that Docker will see it as `localhost`. We can load a `Pod` on every
  178. node by creating following daemonset.
  180. <!-- BEGIN MUNGE: EXAMPLE ../../saltbase/salt/kube-registry-proxy/kube-registry-proxy.yaml -->
  181. ``` yaml
  182. apiVersion: apps/v1
  183. kind: DaemonSet
  184. metadata:
  185. name: kube-registry-proxy
  186. namespace: kube-system
  187. labels:
  188. k8s-app: kube-registry-proxy
  189. version: v0.4
  190. spec:
  191. template:
  192. metadata:
  193. labels:
  194. k8s-app: kube-registry-proxy
  195. kubernetes.io/name: "kube-registry-proxy"
  196. version: v0.4
  197. spec:
  198. containers:
  199. - name: kube-registry-proxy
  200. image: gcr.io/google_containers/kube-registry-proxy:0.4
  201. resources:
  202. limits:
  203. cpu: 100m
  204. memory: 50Mi
  205. env:
  206. - name: REGISTRY_HOST
  207. value: kube-registry.kube-system.svc.cluster.local
  208. - name: REGISTRY_PORT
  209. value: "5000"
  210. ports:
  211. - name: registry
  212. containerPort: 80
  213. hostPort: 5000
  214. ```
  215. <!-- END MUNGE: EXAMPLE ../../saltbase/salt/kube-registry-proxy/kube-registry-proxy.yaml -->
  217. When modifying replication-controller, service and daemon-set definitions, take
  218. care to ensure *unique* identifiers for the rc-svc couple and the daemon-set.
  219. Failing to do so will have register the localhost proxy daemon-sets to the
  220. upstream service. As a result they will then try to proxy themselves, which
  221. will, for obvious reasons, not work.
  223. This ensures that port 5000 on each node is directed to the registry `Service`.
  224. You should be able to verify that it is running by hitting port 5000 with a web
  225. browser and getting a 404 error:
  227. ``` console
  228. $ curl localhost:5000
  229. 404 page not found
  230. ```
  232. Using the registry
  233. ------------------
  235. To use an image hosted by this registry, simply say this in your `Pod`'s
  236. `spec.containers[].image` field:
  238. ``` yaml
  239. image: localhost:5000/user/container
  240. ```
  242. Before you can use the registry, you have to be able to get images into it,
  243. though. If you are building an image on your Kubernetes `Node`, you can spell
  244. out `localhost:5000` when you build and push. More likely, though, you are
  245. building locally and want to push to your cluster.
  247. You can use `kubectl` to set up a port-forward from your local node to a
  248. running Pod:
  250. ``` console
  251. $ POD=$(kubectl get pods --namespace kube-system -l k8s-app=registry \
  252. -o template --template '{{range .items}}{{.metadata.name}} {{.status.phase}}{{"\n"}}{{end}}' \
  253. | grep Running | head -1 | cut -f1 -d' ')
  255. $ kubectl port-forward --namespace kube-system $POD 5000:5000 &
  256. ```
  258. Now you can build and push images on your local computer as
  259. `localhost:5000/yourname/container` and those images will be available inside
  260. your kubernetes cluster with the same name.
  262. More Extensions
  263. ===============
  265. - [Use GCS as storage backend](gcs/README.md)
  266. - [Enable TLS/SSL](tls/README.md)
  267. - [Enable Authentication](auth/README.md)
  269. Future improvements
  270. -------------------
  272. - Allow port-forwarding to a Service rather than a pod (\#15180)