controller manager
component must contain authentication-kubeconfig
and authorization-kubeconfig
(enabled by default in TKE v.12.x).Name | Type | Resource Amount | Namespace |
tcr-assistant-system | Namespace | 1 | - |
tcr-assistant-manager-role | ClusterRole | 1 | - |
tcr-assistant-manager-rolebinding | ClusterRoleBinding | 1 | - |
tcr-assistant-leader-election-role | Role | 1 | tcr-assistant-system |
tcr-assistant-leader-election-rolebinding | RoleBinding | 1 | tcr-assistant-system |
tcr-assistant-webhook-server-cert | Secret | 1 | tcr-assistant-system |
tcr-assistant-webhook-service | Service | 1 | tcr-assistant-system |
tcr-assistant-validating-webhook-configuration | ValidatingWebhookConfiguration | 1 | tcr-assistant-system |
imagepullsecrets.tcr.tencentcloudcr.com | CustomResourceDefinition | 1 | tcr-assistant-system |
tcr.ips* | ImagePullSecret CRD | (2-3) | tcr-assistant-system |
tcr.ips* | Secret | (2-3)*{Namespace No.} | tcr-assistant-system |
tcr-assistant-controller-manager | Deployment | 1 | tcr-assistant-system |
updater-config | ConfigMap | 1 | tcr-assistant-system |
hosts-updater | DaemonSet | {Node No.} | tcr-assistant-system |
Component | Resource Usage | Instance Quantity |
tcr-assistant-controller-manager | CPU:500m memory:512Mi | 1 |
hosts-updater | CPU:100m memory:100Mi | Number of worker nodes |
Feature | Involved Object | Involved Operation Permission |
Requiring/supporting the feature of password-free pull of images, i.e. proactively managing image credentials (secret) for clients. | Secret | watch, create, update, patch, and delete |
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:name: tcr-assistant-leader-election-rolenamespace: tcr-assistant-systemrules:- apiGroups:- ""resources:- configmapsverbs:- get- list- watch- create- update- patch- delete- apiGroups:- ""resources:- configmaps/statusverbs:- get- update- patch- apiGroups:- ""resources:- eventsverbs:- create---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:creationTimestamp: nullname: tcr-assistant-manager-rolenamespace: tcr-assistant-systemrules:- apiGroups:- ""resources:- secretsverbs:- create- delete- patch- update- watch- apiGroups:- admissionregistration.k8s.ioresources:- validatingwebhookconfigurationsverbs:- create- get- patch- apiGroups:- certificates.k8s.ioresources:- certificatesigningrequestsverbs:- create- delete- get- apiGroups:- certificates.k8s.ioresources:- certificatesigningrequests/approvalverbs:- update- apiGroups: ["certificates.k8s.io"]resources:- "signers"# # resourceNames:# # # Support legacy versions, before signerName was added# # - "kubernetes.io/legacy-unknown"verbs:- approve- apiGroups:- ""resources:- namespacesverbs:- get- list- watch- apiGroups:- ""resources:- namespaces/statusverbs:- get- apiGroups:- ""resources:- serviceaccountsverbs:- get- list- patch- update- watch- apiGroups:- ""resources:- serviceaccounts/statusverbs:- get- patch- update- apiGroups:- tcr.tencentcloudcr.comresources:- imagepullsecretsverbs:- create- delete- get- list- patch- update- watch- apiGroups:- tcr.tencentcloudcr.comresources:- imagepullsecrets/statusverbs:- get- patch- update
imagePullSecret
to any namespace, and associate it with the ServiceAccount
of the namespace. If you do no explicitly specify the imagePullSecret
and serviceAccount
when create the workload, K8s will try find the matched imagePullSecret
from the ServiceAccount
named default
under the namespace.Name | Alias | Description |
ImagePullSecret | ips, ipss | The CRD defined by TCR Assistant. It’s used to store the username and password of the image repository, and issue the target Namespace and ServiceAccount . |
imagepullsecrets.tcr.tencentcloudcr.com
is created automatically. This CRD’s kind
is ImagePullSecret
, and its version is tcr.tencentcloudcr.com/v1
, with the alias as ips
or ipss
.Namespace
and ServiceAccount
in the cluster. When there are resource changes, it checks whether the changes match the rules set in ImagePullSecret
. If yes, it automatically deploys the Secret required to pull the private image repository. TCR Assistant is usually deployed in a K8s cluster, and accesses K8s master API in in cluster
mode.ImagePullSecret
using kubectl or Client Go.# Create ImagePullSecret resource$ kubectl create -f allinone/imagepullsecret-sample.yamlimagepullsecret.tcr.tencentcloudcr.com/imagepullsecret-sample created
ImagePullSecret
resource sample file (allinone/imagepullsecret-sample.yaml): apiVersion: tcr.tencentcloudcr.com/v1kind: ImagePullSecretmetadata:name: imagepullsecret-samplespec:namespaces: "*"serviceAccounts: "*"docker:username: "100012345678"password: tcr.jwt.tokenserver: fanjiankong-bj.tencentcloudcr.com
ImagePullSecret
spec fields: Field | Description | Remarks |
namespaces | NameSpace matching rule | Match any namespace: * or blank; Match any of multiple namespaces: enter the resource names and separate them with , . Note: Expressions are not supported. Please enter the exact resource name. |
serviceAccounts | serviceAccounts matching rule | Match any namespace: * or blank; Match any of multiple namespaces: enter the resource names and separate them with , . Note: Expressions are not supported. Please enter the exact resource name. |
docker.server | Image repository domain name | Please enter only the repository domain name |
docker.username | Image repository username | Make sure the user has all the required permissions |
docker.password | Password of the image repository username | - |
# List ImagePullSecret information$ kubectl get ipssNAME NAMESPACES SERVICE-ACCOUNTS SECRETS-DESIRED SECRETS-SUCCESSimagepullsecret-sample * * 10 10# Check details$ kubectl describe ipssName: imagepullsecret-sampleNamespace:Labels: <none>Annotations: <none>API Version: tcr.tencentcloudcr.com/v1Kind: ImagePullSecretMetadata:Creation Timestamp: 2021-12-01T06:47:34ZGeneration: 1Manager: kubectl-client-side-applyOperation: UpdateTime: 2021-12-01T06:47:34ZAPI Version: tcr.tencentcloudcr.com/v1Manager: managerOperation: UpdateTime: 2021-12-01T06:47:38ZResource Version: 30389349UID: 2109f384-240b-405c-9ce8-73ce938a7c2fSpec:Docker:Password: tcr.jwt.tokenServer: fanjiankong-bj.tencentcloudcr.comUsername: 100012345678Namespaces: *Service Accounts: *Status:S As Desired: 47S As Success: 1Secret Update Successful:Namespaced Name: kube-public/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: devtools/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: demo/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: kube-system/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: tcr-assistant-system/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: kube-node-lease/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: cert-manager/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: default/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:36ZNamespaced Name: afm/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:37ZNamespaced Name: lens-metrics/tcr.ipsimagepullsecret-sampleUpdated At: 2021-12-01T06:47:37ZSecrets Desired: 10Secrets Success: 10Service Accounts Modify Successful:Namespaced Name: default/defaultUpdated At: 2021-12-01T06:47:38ZEvents: <none>
Secret
resource of the TCR Assistant deployment, there's no need to delete and rebuild the ImagePullSecret
resource. Simply editing the docker.username
and docker.password
fields will make it effective. For instance:$ kubectl edit ipss imagepullsecret-sample
Namespace
, it checks whether the name of the resource matches the namespaces
field of ImagePullSecret
. If the names are not matched, it goes to the next step. If the names are matched, K8s API is invoked to create a Secret
resource, and the Secret
name is added to the imagePullSecrets
of ServiceAccount
. See below for examples: # Check the Secret automatically deployed under newns$ kubectl get secrets -n newnsNAME TYPE DATA AGEtcr.ipsimagepullsecret-sample kubernetes.io/dockerconfigjson 1 7m2sdefault-token-nb5vw kubernetes.io/service-account-token 3 7m2s# Check the Secret automatically associated with the `ServiceAccount` resource name `default` under newns$ kubectl get serviceaccounts default -o yaml -n newnsapiVersion: v1imagePullSecrets:- name: tcr.ipsimagepullsecret-samplekind: ServiceAccountmetadata:creationTimestamp: "2021-12-01T07:09:56Z"name: defaultnamespace: newnsresourceVersion: "30392461"uid: 7bc67144-3685-4666-ba41-b1447bbbaa38secrets:- name: default-token-nb5vw
ServiceAccount
, it checks whether the name of the resource matches the serviceAccounts
field of ImagePullSecret
. If the names are not matched, it goes to the next step. If the names are matched, K8s API is invoked to create or update Secret
resource, and the Secret
name is added to the imagePullSecrets
field of ServiceAccount
. See below for examples: # Create ServiceAccount resource under newns$ kubectl create sa kung -n newnsserviceaccount/kung created# Check the Secret automatically associated with the newly-created `ServiceAccount` resource name `kung` under newns$ kubectl get serviceaccounts kung -o yaml -n newnsapiVersion: v1imagePullSecrets:- name: tcr.ipsimagepullsecret-samplekind: ServiceAccountmetadata:creationTimestamp: "2021-12-01T07:19:12Z"name: kungnamespace: newnsresourceVersion: "30393760"uid: e236829e-d88e-4feb-9e80-5e4a40f2aea2secrets:- name: kung-token-fljt8
Was this page helpful?