diff --git a/cluster/addons/registry/README.md b/cluster/addons/registry/README.md index 80a90df3c8f..42f56df0d2a 100644 --- a/cluster/addons/registry/README.md +++ b/cluster/addons/registry/README.md @@ -235,7 +235,7 @@ running Pod: ```console $ POD=$(kubectl get pods --namespace kube-system -l k8s-app=kube-registry \ - -o template--template '{{range .items}}{{.metadata.name}} {{.status.phase}}{{"\n"}}{{end}}' \ + -o template --template '{{range .items}}{{.metadata.name}} {{.status.phase}}{{"\n"}}{{end}}' \ | grep Running | head -1 | cut -f1 -d' ') $ kubectl port-forward --namespace kube-system $POD 5000:5000 & @@ -245,11 +245,14 @@ Now you can build and push images on your local computer as `localhost:5000/yourname/container` and those images will be available inside your kubernetes cluster with the same name. +# More Extensions + +- [Use GCS as storage backend](gcs/README.md) +- [Enable TLS/SSL](tls/README.md) +- [Enable Authentication](auth/README.md) + ## Future improvements -* Use a NodePort Service instead of a per-node proxy process -* Enable SSL with a cert signed by your cluster CA or provided by the user -* Enable authentication * Allow port-forwarding to a Service rather than a pod (#15180) diff --git a/cluster/addons/registry/auth/README.md b/cluster/addons/registry/auth/README.md new file mode 100644 index 00000000000..8fbd7e4f3bc --- /dev/null +++ b/cluster/addons/registry/auth/README.md @@ -0,0 +1,92 @@ +# Enable Authentication with Htpasswd for Kube-Registry + +Docker registry support a few authentication providers. Full list of supported provider can be found [here](https://docs.docker.com/registry/configuration/#auth). This document describes how to enable authentication with htpasswd for kube-registry. + +### Prepare Htpasswd Secret + +Please generate your own htpasswd file. Assuming the file you generated is `htpasswd`. +Creating secret to hold htpasswd... +```console +$ kubectl --namespace=kube-system create secret generic registry-auth-secret --from-file=htpasswd=htpasswd +``` + +### Run Registry + +Please be noted that this sample rc is using emptyDir as storage backend for simplicity. + + +```yaml +apiVersion: v1 +kind: ReplicationController +metadata: + name: kube-registry-v0 + namespace: kube-system + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: kube-registry + version: v0 + template: + metadata: + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" + spec: + containers: + - name: registry + image: registry:2 + resources: + # keep request = limit to keep this container in guaranteed class + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + env: + - name: REGISTRY_HTTP_ADDR + value: :5000 + - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY + value: /var/lib/registry + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: basic_realm + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: /auth/htpasswd + volumeMounts: + - name: image-store + mountPath: /var/lib/registry + - name: auth-dir + mountPath: /auth + ports: + - containerPort: 5000 + name: registry + protocol: TCP + volumes: + - name: image-store + emptyDir: {} + - name: auth-dir + secret: + secretName: registry-auth-secret +``` + + +No changes are needed for other components (kube-registry service and proxy). + +### To Verify + +Setup proxy or port-forwarding to the kube-registry. Image push/pull should fail without authentication. Then use `docker login` to authenticate with kube-registry and see if it works. + +### Configure Nodes to Authenticate with Kube-Registry + +By default, nodes assume no authentication is required by kube-registry. Without authentication, nodes cannot pull images from kube-registry. To solve this, more documentation can be found [Here](https://github.com/kubernetes/kubernetes/blob/master/docs/user-guide/images.md#configuring-nodes-to-authenticate-to-a-private-repository) + + + + + +[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/auth/README.md?pixel)]() diff --git a/cluster/addons/registry/auth/registry-auth-rc.yaml b/cluster/addons/registry/auth/registry-auth-rc.yaml new file mode 100644 index 00000000000..1af623d0909 --- /dev/null +++ b/cluster/addons/registry/auth/registry-auth-rc.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + name: kube-registry-v0 + namespace: kube-system + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: kube-registry + version: v0 + template: + metadata: + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" + spec: + containers: + - name: registry + image: registry:2 + resources: + # keep request = limit to keep this container in guaranteed class + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + env: + - name: REGISTRY_HTTP_ADDR + value: :5000 + - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY + value: /var/lib/registry + - name: REGISTRY_AUTH_HTPASSWD_REALM + value: basic_realm + - name: REGISTRY_AUTH_HTPASSWD_PATH + value: /auth/htpasswd + volumeMounts: + - name: image-store + mountPath: /var/lib/registry + - name: auth-dir + mountPath: /auth + ports: + - containerPort: 5000 + name: registry + protocol: TCP + volumes: + - name: image-store + emptyDir: {} + - name: auth-dir + secret: + secretName: registry-auth-secret \ No newline at end of file diff --git a/cluster/addons/registry/gcs/README.md b/cluster/addons/registry/gcs/README.md new file mode 100644 index 00000000000..5706a848f8d --- /dev/null +++ b/cluster/addons/registry/gcs/README.md @@ -0,0 +1,81 @@ +# Kube-Registry with GCS storage backend + +Besides local file system, docker registry also supports a number of cloud storage backends. Full list of supported backend can be found [here](https://docs.docker.com/registry/configuration/#storage). This document describes how to enable GCS for kube-registry as storage backend. + +A few preparation steps are needed. + 1. Create a bucket named kube-registry in GCS. + 1. Create a service account for GCS access and create key file in json format. Detail instruction can be found [here](https://cloud.google.com/storage/docs/authentication#service_accounts). + + +### Pack Keyfile into a Secret + +Assuming you have downloaded the keyfile as `keyfile.json`. Create secret with the `keyfile.json`... +```console +$ kubectl --namespace=kube-system create secret generic gcs-key-secret --from-file=keyfile=keyfile.json +``` + + +### Run Registry + + +```yaml +apiVersion: v1 +kind: ReplicationController +metadata: + name: kube-registry-v0 + namespace: kube-system + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: kube-registry + version: v0 + template: + metadata: + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" + spec: + containers: + - name: registry + image: registry:2 + resources: + # keep request = limit to keep this container in guaranteed class + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + env: + - name: REGISTRY_HTTP_ADDR + value: :5000 + - name: REGISTRY_STORAGE + value: gcs + - name: REGISTRY_STORAGE_GCS_BUCKET + value: kube-registry + - name: REGISTRY_STORAGE_GCS_KEYFILE + value: /gcs/keyfile + ports: + - containerPort: 5000 + name: registry + protocol: TCP + volumeMounts: + - name: gcs-key + mountPath: /gcs + volumes: + - name: gcs-key + secret: + secretName: gcs-key-secret +``` + + + +No changes are needed for other components (kube-registry service and proxy). + + +[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/gcs/README.md?pixel)]() diff --git a/cluster/addons/registry/gcs/registry-gcs-rc.yaml b/cluster/addons/registry/gcs/registry-gcs-rc.yaml new file mode 100644 index 00000000000..e6974033564 --- /dev/null +++ b/cluster/addons/registry/gcs/registry-gcs-rc.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + name: kube-registry-v0 + namespace: kube-system + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: kube-registry + version: v0 + template: + metadata: + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" + spec: + containers: + - name: registry + image: registry:2 + resources: + # keep request = limit to keep this container in guaranteed class + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + env: + - name: REGISTRY_HTTP_ADDR + value: :5000 + - name: REGISTRY_STORAGE + value: gcs + - name: REGISTRY_STORAGE_GCS_BUCKET + value: kube-registry + - name: REGISTRY_STORAGE_GCS_KEYFILE + value: /gcs/keyfile + ports: + - containerPort: 5000 + name: registry + protocol: TCP + volumeMounts: + - name: gcs-key + mountPath: /gcs + volumes: + - name: gcs-key + secret: + secretName: gcs-key-secret diff --git a/cluster/addons/registry/tls/README.md b/cluster/addons/registry/tls/README.md new file mode 100644 index 00000000000..7ba5cc628b3 --- /dev/null +++ b/cluster/addons/registry/tls/README.md @@ -0,0 +1,116 @@ +# Enable TLS for Kube-Registry + +This document describes how to enable TLS for kube-registry. Before you start, please check if you have all the prerequisite: + +- A domain for kube-registry. Assuming it is ` myregistrydomain.com`. +- Domain certificate and key. Assuming they are `domain.crt` and `domain.key` + +### Pack domain.crt and domain.key into a Secret + +```console +$ kubectl --namespace=kube-system create secret generic registry-tls-secret --from-file=domain.crt=domain.crt --from-file=domain.key=domain.key +``` + +### Run Registry + +Please be noted that this sample rc is using emptyDir as storage backend for simplicity. + + +```yaml +apiVersion: v1 +kind: ReplicationController +metadata: + name: kube-registry-v0 + namespace: kube-system + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: kube-registry + version: v0 + template: + metadata: + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" + spec: + containers: + - name: registry + image: registry:2 + resources: + # keep request = limit to keep this container in guaranteed class + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + env: + - name: REGISTRY_HTTP_ADDR + value: :5000 + - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY + value: /var/lib/registry + - name: REGISTRY_HTTP_TLS_CERTIFICATE + value: /certs/domain.crt + - name: REGISTRY_HTTP_TLS_KEY + value: /certs/domain.key + volumeMounts: + - name: image-store + mountPath: /var/lib/registry + - name: cert-dir + mountPath: /certs + ports: + - containerPort: 5000 + name: registry + protocol: TCP + volumes: + - name: image-store + emptyDir: {} + - name: cert-dir + secret: + secretName: registry-tls-secret +``` + + +### Expose External IP for Kube-Registry + +Modify the default kube-registry service to `LoadBalancer` type and point the DNS record of `myregistrydomain.com` to the service external ip. + + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: kube-registry + namespace: kube-system + labels: + k8s-app: kube-registry +# kubernetes.io/cluster-service: "true" + kubernetes.io/name: "KubeRegistry" +spec: + selector: + k8s-app: kube-registry + type: LoadBalancer + ports: + - name: registry + port: 5000 + protocol: TCP +``` + + +### To Verify + +Now you should be able to access your kube-registry from another docker host. +```console +docker pull busybox +docker tag busybox myregistrydomain.com:5000/busybox +docker push myregistrydomain.com:5000/busybox +docker pull myregistrydomain.com:5000/busybox +``` + + +[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/registry/tls/README.md?pixel)]() diff --git a/cluster/addons/registry/tls/registry-tls-rc.yaml b/cluster/addons/registry/tls/registry-tls-rc.yaml new file mode 100644 index 00000000000..c2411c05246 --- /dev/null +++ b/cluster/addons/registry/tls/registry-tls-rc.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + name: kube-registry-v0 + namespace: kube-system + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: kube-registry + version: v0 + template: + metadata: + labels: + k8s-app: kube-registry + version: v0 +# kubernetes.io/cluster-service: "true" + spec: + containers: + - name: registry + image: registry:2 + resources: + # keep request = limit to keep this container in guaranteed class + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + env: + - name: REGISTRY_HTTP_ADDR + value: :5000 + - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY + value: /var/lib/registry + - name: REGISTRY_HTTP_TLS_CERTIFICATE + value: /certs/domain.crt + - name: REGISTRY_HTTP_TLS_KEY + value: /certs/domain.key + volumeMounts: + - name: image-store + mountPath: /var/lib/registry + - name: cert-dir + mountPath: /certs + ports: + - containerPort: 5000 + name: registry + protocol: TCP + volumes: + - name: image-store + emptyDir: {} + - name: cert-dir + secret: + secretName: registry-tls-secret + diff --git a/cluster/addons/registry/tls/registry-tls-svc.yaml b/cluster/addons/registry/tls/registry-tls-svc.yaml new file mode 100644 index 00000000000..a9d59f117d4 --- /dev/null +++ b/cluster/addons/registry/tls/registry-tls-svc.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: kube-registry + namespace: kube-system + labels: + k8s-app: kube-registry +# kubernetes.io/cluster-service: "true" + kubernetes.io/name: "KubeRegistry" +spec: + selector: + k8s-app: kube-registry + type: LoadBalancer + ports: + - name: registry + port: 5000 + protocol: TCP