Warning
This page was translated from the original Japanese version by PLaMo Translate. The Japanese version is authoritative; the English translation may contain inaccuracies.
Using User-Managed Container Image Repositories
Note
This page provides instructions for using container images stored in user-managed container image registries. For information on using container images provided by PFCP, please refer to About PFCP-Provided Container Images.
PFCP supports pulling container images from private registries hosted on Amazon ECR and Google Artifact Registry. A system called the Image pull secrets provisioner is deployed, which automatically creates and updates secrets required for pulling images from ECR and Google Artifact Registry.
Launching Workloads Using Container Images from ECR
-
On AWS, configure identity federation for the Kubernetes ServiceAccount you intend to use.
- Configure trust relationships to enable Pods using this ServiceAccount to pull images from ECR.
- For configuration details, refer to the AWS documentation Create an OpenID Connect (OIDC) identity provider in IAM - AWS Identity and Access Management.
- For the provider (issuer) URL, please refer to Regions and Compute Nodes.1
- If you’re using Terraform for AWS manifest management, also see the Terraform configuration example.
-
Apply the following annotations to the ServiceAccount you wish to use:
apiVersion: v1 kind: ServiceAccount metadata: namespace: NAMESPACE name: SERVICE-ACCOUNT-NAME annotations: # Specify the ECR registry containing the container images you want to use. imagepullsecrets.preferred.jp/registry: 999999999999.dkr.ecr.LOCATION.amazonaws.com # Specify the aud value used for ECR access via identity federation. imagepullsecrets.preferred.jp/audience: sts.amazonaws.com # Specify the IAM Role to be used for AssumeRole during ECR access. imagepullsecrets.preferred.jp/aws-role-arn: arn:aws:iam::999999999999:role/ROLE-NAME -
Set the Pod to use this ServiceAccount by specifying the
.spec.serviceAccountNamefield:apiVersion: v1 kind: Pod metadata: name: POD-NAME spec: serviceAccountName: SERVICE-ACCOUNT-NAME ... -
Launch the Pod and verify that it can successfully pull images from ECR.
Launching Workloads Using Container Images from Google Artifact Registry
-
On Google Cloud, configure identity federation for the Kubernetes ServiceAccount you intend to use.
- Configure trust relationships to enable Pods using this ServiceAccount to pull images from Google Artifact Registry.
- For configuration details, refer to the Google Cloud documentation Configure workload identity federation with Kubernetes | IAM Documentation | Google Cloud.
- For the provider (issuer) URL, please refer to Regions and Compute Nodes.1
- If you’re using Terraform for Google Cloud manifest management, also see the Terraform configuration example.
-
Apply the following annotations to the ServiceAccount you wish to use:
apiVersion: v1 kind: ServiceAccount metadata: namespace: NAMESPACE name: SERVICE-ACCOUNT-NAME annotations: # Specify the Google Artifact Registry containing the container images you want to use. imagepullsecrets.preferred.jp/registry: LOCATION-docker.pkg.dev # Specify the aud value used for Google Artifact Registry access via identity federation. imagepullsecrets.preferred.jp/audience: //iam.googleapis.com/projects/999999999999/locations/global/workloadIdentityPools/POOL-NAME/providers/PROVIDER-NAME # Specify the resource name of the Workload Identity provider for identity federation. imagepullsecrets.preferred.jp/googlecloud-workload-identity-provider: projects/999999999999/locations/global/workloadIdentityPools/POOL-NAME/providers/PROVIDER-NAME # Specify the email address of the Google service account used for identity federation. imagepullsecrets.preferred.jp/googlecloud-service-account-email: SERVICE-ACCOUNT-ID@PROJECT-NAME.iam.gserviceaccount.com -
Set the Pod to use this ServiceAccount by specifying the
.spec.serviceAccountNamefield:apiVersion: v1 kind: Pod metadata: name: POD-NAME spec: serviceAccountName: SERVICE-ACCOUNT-NAME ... -
Launch the Pod and verify that it can successfully pull images from Google Artifact Registry.
For more detailed information, please refer to the README for the image pull secrets provisioner.