tencent cloud

Feedback

TKE Serverless Clusters Pull TCR Container Images

Last updated: 2023-05-08 16:19:30

    Overview

    This document describes how to pull container images in a Tencent Container Registry (TCR) Enterprise Edition instance in a Tencent Kubernetes Engine (TKE) Serverless cluster and to create workloads.

    Prerequisites

    Before using a private image hosted in TCR Enterprise Edition to deploy applications in TKE, complete the following operations:
    If you are using a sub-account, you must have granted the sub-account operation permissions for the corresponding instance. For more information, see Example of Authorization Solution of TCR Enterprise.

    Directions

    Preparing a container image

    Step 1: Creating a namespace

    A new TCR Enterprise Edition instance does not have a default namespace, and a namespace cannot be automatically created through the pushed image. Therefore, you must manually create a namespace as needed. For more information, see Managing Namespaces.
    We recommend that you name the namespace based on the project or team name. In this document, docker is used as an example. The following page appears after the namespace is created.
    

    Step 2: (Optional) Creating an image repository

    Container images are hosted in specific image repositories. You can create an image repository as needed. For more information, see Creating an image repository. Set the image repository name to the name of the container image to be deployed. In this document, getting-started is used as an example. The following page appears after the image repository is created.
    
    Note
    Use Docker CLI or another image tool, such as Jenkins, to push the image to the TCR Enterprise Edition instance. If no image repository exists, an image repository will be automatically created. You do not need to create one in advance.

    Step 3: Pushing container images

    1. You can use Docker CLI or another image tool, such as Jenkins, to push an image to a specific image repository. Here, Docker CLI is used to push images. To push a container image, you need to use a CVM or CPM instance with Docker installed and ensure that the client is allowed to access the instance. For more information, see Network Access Control Overview.
    2. Obtain an access credential for the TCR Enterprise Edition instance and run the docker login command to log in to the instance. For more information about how to obtain an instance access credential, see Obtaining an Instance Access Credential.
    3. Create a container image on the local server or obtain a public image from Docker Hub for testing. This document uses the latest Nginx image on the official Docker Hub website as an example. In the command-line tool, run the following commands sequentially to push this image. Note to replace demo-tcr, docker, and getting-started with the actual instance, namespace, and image repository names that you created.
    docker tag getting-started:latest demo-tcr.tencentcloudcr.com/docker/getting-started:latest
    
    docker push demo-tcr.tencentcloudcr.com/docker/getting-started:latest
    
    4. After the image is pushed, you can go to the Image Repository page in the TCR console and click the name of a repository to view its details.

    Configuring a TKE Serverless cluster to access a TCR instance

    For your data security, TCR and TKE Serverless deny all public and private access requests by default. Therefore, you must configure the network access policies before deploying the TCR image to TKE Serverless.
    TCR Enterprise Edition instances support network access control. You can select public network or private network access for a TKE Serverless cluster to access a specific instance and pull the container image based on the network configuration of the TKE Serverless cluster. If the TKE Serverless cluster and TCR instance are deployed in the same region, we recommend that the TKE Serverless cluster pulls the container image through the private network to accelerate pulling and reduce public network traffic costs.
    This document describes how to access a TCR instance through the private network. For more information about how to access a TCR instance through the public network, see Accessing Internet through NAT Gateway.

    Step 1: Associating the VPC where the cluster is located to the TCR instance

    For your data security, the new TCR instance denies all external access requests by default. To allow the specified TKE Serverless cluster to access the TCR instance to pull the image, you must associate the VPC where the cluster resides to the TCR instance, and configure the corresponding private network domain parsing service.

    Step 2: Obtaining a TCR instance access credential

    Before pulling container images from a TCR instance, you need to log in to the instance with the credential. For more information, see Obtaining an Instance Access Credential. Keep the long-term access credential of this instance for later configuration and deployment of TCR images.

    Using the container image in the TCR instance to create a workload

    1. Log in to the TKE console.
    2. On the cluster list page, click the ID of the target Serverless cluster to go to the cluster details page.
    3. On the cluster details page, choose Workload > Deployment in the left sidebar.
    4. On the Deployment page, click Create.
    5. On the New deployment page, specify the following parameters to create a workload:
    Namespace: Select a namespace in the cluster as needed.
    Containers in the Pod:
    Image: Click Select Image, select Tencent Container Registry - Enterprise in the pop-up window, and select the region, instance, and image repository based on your needs. See the figure below:
    
    Image Tag: Click Select Image Tag, and select a tag for the image repository based on your needs in the pop-up window. If you do not select one, latest is used by default.
    Image Access Credential: Click Add Image Access Credential, and select Use New Access Credential from the drop-down list. See the figure below:
    
    Click Configure Access Credential Information, and enter the repository domain name, username, and password for the image in the pop-up window.
    Repository Domain Name: Log in to the TCR console and click Image Repository in the left sidebar to get the repository address of the required image.
    Username: Go to Account Info to get the account ID. The account ID is your username.
    Password: The access credential obtained in Step 2 is the password.
    Access Settings (Service): You can deploy various containers in Kubernetes. Some of them provide layer-7 network service over HTTP or HTTPS, and others provide layer-4 network service over TCP or UDP. Service resources defined by Kubernetes are used to manage the service access for layer-4 network in the cluster. Specify the following parameters to complete access settings:
    Service: Select Enable.
    Service Access: Select Via VPC.
    6. Click Create Deployment and view the deployment progress. After the workload is deployed, "Number of Running/Desired Pods" for the workload becomes "1/1" on the Deployment page, as shown in the figure below:
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support