TGIK8s 23 notes

registries.md

• Terminology
  • Registry -- the API/service you talk to to push/pull images
  • Repository -- a set of relate container images that share the same name but different tags.
  • Container Image -- a single image that can be used to launch a container. Has multiple "names"
  • Container Image Layer -- implementation detail used to speed up image push/pull/launch
• Docker Hub
  • One personal registry per user. There are "organizations" that are shared registries. Similar to github model.
• ACR
  • Registry is called foo.azurecr.io
  • 2 authentication mechanisms:
    • "admin user": Creates an ACR specific long term password. Username foo
    • "service principal": https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal
  • Public images? unsure
• ECR -- https://aws.amazon.com/ecr/
  • Just private images
  • One registry per account per region. [account-id].dkr.ecr.[region].amazonaws.com
  • aws ecr get-login -- https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/
    • `eval $(aws ecr get-login --no-include-email --region us-west-2)
  • Must explicitly create repository before you can push
  • For k8s use registry-creds: https://github.com/upmc-enterprises/registry-creds
• GCR
  • Only one registry per project based on project name -- gcr.io/tgik8s
  • Maps to a GCS bucket -- artifacts.tgik8s.appspot.com
  • Can make an entire registry public by adjusting permissions on GCR bucket: https://cloud.google.com/container-registry/docs/access-control
  • Auth -- 2.5 ways to do it! https://cloud.google.com/container-registry/docs/advanced-authentication
    • User/OAuth
      • gcloud docker -- push gcr.io/tgik8s/foo
      • Docker credential helper:
        • gcloud components install docker-credential-gcr
        • docker-credential-gcr configure-docker
    • GCP Service Account
      • Create service account
      • Give it Editor permissions on the GCR bucket
      • Download JSON key and use that as password with user _json_key
• Issue with kubectl 1.9.0 kubernetes/kubernetes#57427
  • k8s change that caused: kubernetes/kubernetes#53916
  • Fix in kubectl 1.9.1: kubernetes/kubernetes#57463
  • Original docker change from ~/.dockercfg to ~/.docker/config.json
    • moby/moby#12009

Remove cloud provider from cluster. This is a little hacky. It also might break your cluster. It did for me during the episode.

NODES=$(kubectl get nodes -o jsonpath="{range .items[*]}-H ubuntu@{.metadata.name} {end}")

sudo sed -e "/--cloud-provider=aws/d" -i /etc/kubernetes/manifests/kube-apiserver.yaml
sudo sed -e "/--cloud-provider=aws/d" -i /etc/kubernetes/manifests/kube-controller-manager.yaml

parallel-ssh -i -O StrictHostKeyChecking=no $NODES \
  sudo "sh -c 'sed -e "s/--cloud-provider=aws//g" -i /etc/systemd/system/kubelet.service.d/10-hostname.conf; \
        systemctl daemon-reload;
        systemctl restart kubelet'"