English

Using Alauda Container Platform Registry in Kubernetes Cluster

The Alauda Container Platform (ACP) Registry provides secure container image management for Kubernetes workloads. When deploying applications within the cluster, use the ingress address (e.g. registry.cluster.local) for optimized performance and security.

Deploy Sample Application

Namespace developer create an application named my-app in the my-ns namespace.
The application image is stored in the registry at registry.cluster.local/my-ns/my-app:v1.
The default ServiceAccount in each namespace is automatically configured with an imagePullSecret for accessing images from registry.cluster.local.

Example Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: my-ns
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: main-container
        image: registry.cluster.local/my-ns/my-app:v1
        ports:
        - containerPort: 8080

Cross-Namespace Access

To allow users from my-ns to pull images from shared-ns, the administrator of shared-ns can create a role binding to grant the necessary permissions.

Example Role Binding

# Access images from shared namespace (requires permissions)
kubectl create rolebinding cross-ns-pull \
  --clusterrole=system:image-puller \
  --serviceaccount=my-ns:default \
  -n shared-ns

Best Practices

Use Registry: Always use registry.cluster.local for deployments to ensure security and performance.
Namespace Isolation: Leverage namespace isolation for better security and management of images.
- Use namespace-based image paths: registry.cluster.local/<namespace>/<image>:<tag>.
Role Bindings: Use role bindings to manage cross-namespace access for users and service accounts.

Verification Checklist

Validate image accessibility for the default ServiceAccount in my-ns:

kubectl auth can-i get images.registry.alauda.io --namespace my-ns --as=system:serviceaccount:my-ns:default

Validate image accessibility for a user in my-ns:

kubectl auth can-i get images.registry.alauda.io --namespace my-ns --as=<username>

Troubleshooting

Image Pull Errors: Check the imagePullSecrets in the pod spec and ensure they are correctly configured.
Permission Denied: Ensure the user or ServiceAccount has the necessary role bindings in the target namespace.
Network Issues: Verify network policies and service configurations to ensure connectivity to the internal registry.

ON THIS PAGE

How to

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Guides

Namespaces

Pre-Application-Creation Preparation

Creating Applications

Post-Application-Creation Configuration

Operation and Maintenance

Application Observability

Workloads

Pod

Container

How To

Install

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application

GitOps Observability

Architecture

Guides

How To

Guides

How To

Troubleshooting

Architecture

Guides

How To