richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2630 Commits
34 Branches
82 Tags
158 MiB
Tree: cdc2e7d4fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cdc2e7d4fe'
${ noResults }
kubespray/roles/kubernetes-apps/registry/templates/auth/README.md

92 lines
3.0 KiB
Raw Normal View History

Migrate Kubernetes v1.9.1 cluster/addons/registry to Kubespray
7 years ago
  1. # Enable Authentication with Htpasswd for Kube-Registry
  3. Docker registry support a few authentication providers. Full list of supported provider can be found [here](https://docs.docker.com/registry/configuration/#auth). This document describes how to enable authentication with htpasswd for kube-registry.
  5. ### Prepare Htpasswd Secret
  7. Please generate your own htpasswd file. Assuming the file you generated is `htpasswd`.
  8. Creating secret to hold htpasswd...
  9. ```console
  10. $ kubectl --namespace=kube-system create secret generic registry-auth-secret --from-file=htpasswd=htpasswd
  11. ```
  13. ### Run Registry
  15. Please be noted that this sample rc is using emptyDir as storage backend for simplicity.
  17. <!-- BEGIN MUNGE: EXAMPLE registry-auth-rc.yaml -->
  18. ```yaml
  19. apiVersion: v1
  20. kind: ReplicationController
  21. metadata:
  22. name: kube-registry-v0
  23. namespace: kube-system
  24. labels:
  25. k8s-app: kube-registry
  26. version: v0
  27. # kubernetes.io/cluster-service: "true"
  28. spec:
  29. replicas: 1
  30. selector:
  31. k8s-app: kube-registry
  32. version: v0
  33. template:
  34. metadata:
  35. labels:
  36. k8s-app: kube-registry
  37. version: v0
  38. # kubernetes.io/cluster-service: "true"
  39. spec:
  40. containers:
  41. - name: registry
  42. image: registry:2
  43. resources:
  44. # keep request = limit to keep this container in guaranteed class
  45. limits:
  46. cpu: 100m
  47. memory: 100Mi
  48. requests:
  49. cpu: 100m
  50. memory: 100Mi
  51. env:
  52. - name: REGISTRY_HTTP_ADDR
  53. value: :5000
  54. - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
  55. value: /var/lib/registry
  56. - name: REGISTRY_AUTH_HTPASSWD_REALM
  57. value: basic_realm
  58. - name: REGISTRY_AUTH_HTPASSWD_PATH
  59. value: /auth/htpasswd
  60. volumeMounts:
  61. - name: image-store
  62. mountPath: /var/lib/registry
  63. - name: auth-dir
  64. mountPath: /auth
  65. ports:
  66. - containerPort: 5000
  67. name: registry
  68. protocol: TCP
  69. volumes:
  70. - name: image-store
  71. emptyDir: {}
  72. - name: auth-dir
  73. secret:
  74. secretName: registry-auth-secret
  75. ```
  76. <!-- END MUNGE: EXAMPLE registry-auth-rc.yaml -->
  78. No changes are needed for other components (kube-registry service and proxy).
  80. ### To Verify
  82. Setup proxy or port-forwarding to the kube-registry. Image push/pull should fail without authentication. Then use `docker login` to authenticate with kube-registry and see if it works.
  84. ### Configure Nodes to Authenticate with Kube-Registry
  86. By default, nodes assume no authentication is required by kube-registry. Without authentication, nodes cannot pull images from kube-registry. To solve this, more documentation can be found [Here](https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/concepts/containers/images.md#configuring-nodes-to-authenticate-to-a-private-repository).
  92. [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/auth/README.md?pixel)]()