Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Warning

This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.

Using User-Managed Container Image Repositories

Note

This page provides instructions for using container images stored in user-managed container image registries. For information on using container images provided by PFCP, please refer to About PFCP-Provided Container Images.

PFCP supports pulling container images from private registries hosted on Amazon ECR and Google Artifact Registry. A system called the Image pull secrets provisioner is deployed, which automatically creates and updates secrets required for pulling images from ECR and Google Artifact Registry.

Launching Workloads Using Container Images from ECR

  1. On AWS, configure identity federation for the Kubernetes ServiceAccount you intend to use.

  2. Apply the following annotations to the ServiceAccount you wish to use:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      namespace: NAMESPACE
      name: SERVICE-ACCOUNT-NAME
      annotations:
        # Specify the ECR registry containing the container images you want to use.
        imagepullsecrets.preferred.jp/registry: 999999999999.dkr.ecr.LOCATION.amazonaws.com
        # Specify the aud value used for ECR access via identity federation.
        imagepullsecrets.preferred.jp/audience: sts.amazonaws.com
        # Specify the IAM Role to be used for AssumeRole during ECR access.
        imagepullsecrets.preferred.jp/aws-role-arn: arn:aws:iam::999999999999:role/ROLE-NAME
    
  3. Set the Pod to use this ServiceAccount by specifying the .spec.serviceAccountName field:

    apiVersion: v1
    kind: Pod
    metadata:
      name: POD-NAME
    spec:
      serviceAccountName: SERVICE-ACCOUNT-NAME
      ...
    
  4. Launch the Pod and verify that it can successfully pull images from ECR.

Launching Workloads Using Container Images from Google Artifact Registry

  1. On Google Cloud, configure identity federation for the Kubernetes ServiceAccount you intend to use.

  2. Apply the following annotations to the ServiceAccount you wish to use:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      namespace: NAMESPACE
      name: SERVICE-ACCOUNT-NAME
      annotations:
        # Specify the Google Artifact Registry containing the container images you want to use.
        imagepullsecrets.preferred.jp/registry: LOCATION-docker.pkg.dev
        # Specify the aud value used for Google Artifact Registry access via identity federation.
        imagepullsecrets.preferred.jp/audience: //iam.googleapis.com/projects/999999999999/locations/global/workloadIdentityPools/POOL-NAME/providers/PROVIDER-NAME
        # Specify the resource name of the Workload Identity provider for identity federation.
        imagepullsecrets.preferred.jp/googlecloud-workload-identity-provider: projects/999999999999/locations/global/workloadIdentityPools/POOL-NAME/providers/PROVIDER-NAME
        # Specify the email address of the Google service account used for identity federation.
        imagepullsecrets.preferred.jp/googlecloud-service-account-email: SERVICE-ACCOUNT-ID@PROJECT-NAME.iam.gserviceaccount.com
    
  3. Set the Pod to use this ServiceAccount by specifying the .spec.serviceAccountName field:

    apiVersion: v1
    kind: Pod
    metadata:
      name: POD-NAME
    spec:
      serviceAccountName: SERVICE-ACCOUNT-NAME
      ...
    
  4. Launch the Pod and verify that it can successfully pull images from Google Artifact Registry.

For more detailed information, please refer to the README for the image pull secrets provisioner.


  1. If you are using multiple PFCP clusters, configuration must be performed separately for each cluster. ↩2