You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using image tags, if the image registry were to change the code that the tag on that image represents, you might end up with a mix of Pods running the old and new code. An image digest uniquely identifies a specific version of the image, so Kubernetes runs the same code every time it starts a container with that image name and digest specified. Specifying an image by digest fixes the code that you run so that a change at the registry cannot lead to that mix of versions.
182
+
When using image tags, if the image registry were to change the code that the tag on that image
183
+
represents, you might end up with a mix of Pods running the old and new code. An image digest
184
+
uniquely identifies a specific version of the image, so Kubernetes runs the same code every time
185
+
it starts a container with that image name and digest specified. Specifying an image by digest
186
+
fixes the code that you run so that a change at the registry cannot lead to that mix of versions.
184
187
185
188
There are third-party [admission controllers](/docs/reference/access-authn-authz/admission-controllers/)
186
189
that mutate Pods (and pod templates) when they are created, so that the
@@ -249,7 +252,8 @@ If you would like to always force a pull, you can do one of the following:
249
252
Kubernetes will set the policy to `Always` when you submit the Pod.
250
253
- Omit the `imagePullPolicy` and the tag for the image to use;
251
254
Kubernetes will set the policy to `Always` when you submit the Pod.
252
-
- Enable the [AlwaysPullImages](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) admission controller.
255
+
- Enable the [AlwaysPullImages](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages)
256
+
admission controller.
253
257
-->
254
258
#### 必要的镜像拉取 {#required-image-pull}
255
259
@@ -262,7 +266,6 @@ If you would like to always force a pull, you can do one of the following:
As well as providing binary images, a container registry can also serve a [container image index](https://github.com/opencontainers/image-spec/blob/master/image-index.md). An image index can point to multiple [image manifests](https://github.com/opencontainers/image-spec/blob/master/manifest.md) for architecture-specific versions of a container. The idea is that you can have a name for an image (for example: `pause`, `example/mycontainer`, `kube-apiserver`) and allow different systems to fetch the right binary image for the machine architecture they are using.
299
+
As well as providing binary images, a container registry can also serve a
An image index can point to multiple [image manifests](https://github.com/opencontainers/image-spec/blob/master/manifest.md)
302
+
for architecture-specific versions of a container. The idea is that you can have a name for an image
303
+
(for example: `pause`, `example/mycontainer`, `kube-apiserver`) and allow different systems to
304
+
fetch the right binary image for the machine architecture they are using.
297
305
298
-
Kubernetes itself typically names container images with a suffix `-$(ARCH)`. For backward compatibility, please generate the older images with suffixes. The idea is to generate say `pause` image which has the manifest for all the arch(es) and say `pause-amd64` which is backwards compatible for older configurations or YAML files which may have hard coded the images with suffixes.
306
+
Kubernetes itself typically names container images with a suffix `-$(ARCH)`. For backward
307
+
compatibility, please generate the older images with suffixes. The idea is to generate say `pause`
308
+
image which has the manifest for all the arch(es) and say `pause-amd64` which is backwards
309
+
compatible for older configurations or YAML files which may have hard coded the images with
@@ -324,27 +336,27 @@ Credentials can be provided in several ways:
324
336
凭据可以用以下方式提供:
325
337
326
338
<!--
327
-
- Configuring Nodes to Authenticate to a Private Registry
328
-
- all pods can read any configured private registries
329
-
- requires node configuration by cluster administrator
330
-
- Kubelet Credential Provider to dynamically fetch credentials for private registries
331
-
- kubelet can be configured to use credential provider exec plugin
332
-
for the respective private registry.
333
-
- Pre-pulled Images
334
-
- all pods can use any images cached on a node
335
-
- requires root access to all nodes to set up
336
-
- Specifying ImagePullSecrets on a Pod
337
-
- only pods which provide own keys can access the private registry
338
-
- Vendor-specific or local extensions
339
-
- if you're using a custom node configuration, you (or your cloud
340
-
provider) can implement your mechanism for authenticating the node
341
-
to the container registry.
339
+
- Configuring Nodes to Authenticate to a Private Registry
340
+
- all pods can read any configured private registries
341
+
- requires node configuration by cluster administrator
342
+
- Kubelet Credential Provider to dynamically fetch credentials for private registries
343
+
- kubelet can be configured to use credential provider exec plugin
344
+
for the respective private registry.
345
+
- Pre-pulled Images
346
+
- all pods can use any images cached on a node
347
+
- requires root access to all nodes to set up
348
+
- Specifying ImagePullSecrets on a Pod
349
+
- only pods which provide own keys can access the private registry
350
+
- Vendor-specific or local extensions
351
+
- if you're using a custom node configuration, you (or your cloud
352
+
provider) can implement your mechanism for authenticating the node
353
+
to the container registry.
342
354
-->
343
355
- 配置节点向私有仓库进行身份验证
344
356
- 所有 Pod 均可读取任何已配置的私有仓库
345
357
- 需要集群管理员配置节点
346
358
- kubelet 凭据提供程序,动态获取私有仓库的凭据
347
-
- kubelet 可以被配置为使用凭据提供程序 exec 插件来访问对应的私有镜像库
359
+
- kubelet 可以被配置为使用凭据提供程序 exec 插件来访问对应的私有镜像库
348
360
- 预拉镜像
349
361
- 所有 Pod 都可以使用节点上缓存的所有镜像
350
362
- 需要所有节点的 root 访问权限才能进行设置
@@ -361,7 +373,8 @@ These options are explained in more detail below.
361
373
<!--
362
374
### Configuring nodes to authenticate to a private registry
363
375
364
-
Specific instructions for setting credentials depends on the container runtime and registry you chose to use. You should refer to your solution's documentation for the most accurate information.
376
+
Specific instructions for setting credentials depends on the container runtime and registry you
377
+
chose to use. You should refer to your solution's documentation for the most accurate information.
[Create a Secret based on existing Docker credentials](/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials) explains how to set this up.
604
+
[Create a Secret based on existing Docker credentials](/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
@@ -654,7 +669,8 @@ This needs to be done for each pod that is using a private registry.
654
669
However, setting of this field can be automated by setting the imagePullSecrets
655
670
in a [ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/) resource.
656
671
657
-
Check [Add ImagePullSecrets to a Service Account](/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account) for detailed instructions.
672
+
Check [Add ImagePullSecrets to a Service Account](/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
673
+
for detailed instructions.
658
674
659
675
You can use this in conjunction with a per-node `.docker/config.json`. The credentials
660
676
will be merged.
@@ -682,7 +698,8 @@ common use cases and suggested solutions.
682
698
1. Cluster running only non-proprietary (e.g. open-source) images. No need to hide images.
683
699
- Use public images from a public registry
684
700
- No configuration required.
685
-
- Some cloud providers automatically cache or mirror public images, which improves availability and reduces the time to pull images.
701
+
- Some cloud providers automatically cache or mirror public images, which improves
702
+
availability and reduces the time to pull images.
686
703
-->
687
704
1. 集群运行非专有镜像(例如,开源镜像)。镜像不需要隐藏。
688
705
- 使用来自公共仓库的公共镜像
@@ -711,7 +728,8 @@ common use cases and suggested solutions.
711
728
712
729
<!--
713
730
1. Cluster with proprietary images, a few of which require stricter access control.
714
-
- Ensure [AlwaysPullImages admission controller](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) is active. Otherwise, all Pods potentially have access to all images.
is active. Otherwise, all Pods potentially have access to all images.
715
733
- Move sensitive data into a "Secret" resource, instead of packaging it in an image.
716
734
-->
717
735
3. 集群使用专有镜像,且有些镜像需要更严格的访问控制
@@ -720,9 +738,11 @@ common use cases and suggested solutions.
720
738
721
739
<!--
722
740
1. A multi-tenant cluster where each tenant needs own private registry.
723
-
- Ensure [AlwaysPullImages admission controller](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) is active. Otherwise, all Pods of all tenants potentially have access to all images.
0 commit comments