tencent cloud

Feedback

TCR Introduction

Last updated: 2024-02-05 16:00:10

    Overview

    Add-on Description

    TCR Addon is a plug-in provided by the Tencent Container Registry (TCR) service for private-network and Secret-free pulling of container images. After this plug-in is installed in a TKE cluster, cluster nodes can pull container images from Enterprise Edition instances over the private network, without the need for explicit configuration of ImagePullSecret in the cluster resource YAML file. This plug-in can accelerate image pulling in TKE clusters and simplify image configuration.
    Note:
    The TKE cluster version must be v1.10.x or later. We recommend that you use this add-on in TKE v1.12.x or later.
    The startup parameters of the Kubernetes controller manager component must contain authentication-kubeconfig and authorization-kubeconfig (enabled by default in TKE v.12.x).

    Kubernetes objects deployed in a cluster

    Name
    Type
    Resource Amount
    Namespace
    tcr-assistant-system
    Namespace
    1
    -
    tcr-assistant-manager-role
    ClusterRole
    1
    -
    tcr-assistant-manager-rolebinding
    ClusterRoleBinding
    1
    -
    tcr-assistant-leader-election-role
    Role
    1
    tcr-assistant-system
    tcr-assistant-leader-election-rolebinding
    RoleBinding
    1
    tcr-assistant-system
    tcr-assistant-webhook-server-cert
    Secret
    1
    tcr-assistant-system
    tcr-assistant-webhook-service
    Service
    1
    tcr-assistant-system
    tcr-assistant-validating-webhook-configuration
    ValidatingWebhookConfiguration
    1
    tcr-assistant-system
    imagepullsecrets.tcr.tencentcloudcr.com
    CustomResourceDefinition
    1
    tcr-assistant-system
    tcr.ips*
    ImagePullSecret CRD
    (2-3)
    tcr-assistant-system
    tcr.ips*
    Secret
    (2-3)*{Namespace No.}
    tcr-assistant-system
    tcr-assistant-controller-manager
    Deployment
    1
    tcr-assistant-system
    updater-config
    ConfigMap
    1
    tcr-assistant-system
    hosts-updater
    DaemonSet
    {Node No.}
    tcr-assistant-system

    Component resource usage

    Component
    Resource Usage
    Instance Quantity
    tcr-assistant-controller-manager
    CPU:500m
    memory:512Mi
    1
    hosts-updater
    CPU:100m
    memory:100Mi
    Number of worker nodes

    Use Cases

    Pulling images without a Secret

    For a Kubernetes cluster to pull private images, you must create access credential Secret resources, configure the ImagePullSecret attribute in the YAML file of the resources, and explicitly specify the created Secret. The overall configuration process is complicated, and image pull will fail if the Secret is not configured or the specified Secret is incorrect. In face of this problem, you can install the TCR add-on in the cluster. The add-on automatically obtains the access credential of the specified TCR Enterprise Edition instance and delivers it to the specified namespace of the TKE cluster. When using the YAML file to create or update resources, you do not need to configure ImagePullSecret. Instead, the cluster automatically uses the delivered access credential to pull images from the TCR Enterprise Edition instance.

    Pulling images over the private network

    The add-on automatically creates a DaemonSet workload, host-updater, which is used to update the host configuration of nodes in the cluster. Note that this configuration is only recommended for test scenarios. For resolving, you can use the private network linkage provided by TCR, PrivateDNS, or your own DNS service.

    Limits

    For use cases of secret-free image pulling:
    Users must have the permission to obtain the access credential of the specified TCR Enterprise Edition instance, that is, the permission to call the CreateInstanceToken API. We recommend that users with TCR admin permissions configure this add-on.
    After the add-on is installed and takes effect, do not repeatedly specify ImagePullSecret in the resource YAML file. Otherwise, nodes may use the incorrect image pull access credential, leading to pull failures.

    Component Permission Description

    Note:
    The Permission Scenarios section only lists the permissions related to the core features of the components, for a complete permission list, please refer to the Permission Definition.

    Permission Description

    The permission of this component is the minimal dependency required for the current feature to operate.

    Permission Scenarios

    Feature
    Involved Object
    Involved Operation Permission
    Requiring/supporting the feature of password-free pull of images, i.e. proactively managing image credentials (secret) for clients.
    Secret
    watch, create, update, patch, and delete

    Permission Definition

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
    name: tcr-assistant-leader-election-role
    namespace: tcr-assistant-system
    rules:
    - apiGroups:
    - ""
    resources:
    - configmaps
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
    - apiGroups:
    - ""
    resources:
    - configmaps/status
    verbs:
    - get
    - update
    - patch
    - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    creationTimestamp: null
    name: tcr-assistant-manager-role
    namespace: tcr-assistant-system
    rules:
    - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - create
    - delete
    - patch
    - update
    - watch
    - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - validatingwebhookconfigurations
    verbs:
    - create
    - get
    - patch
    - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests
    verbs:
    - create
    - delete
    - get
    - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests/approval
    verbs:
    - update
    - apiGroups: ["certificates.k8s.io"]
    resources:
    - "signers"
    # # resourceNames:
    # # # Support legacy versions, before signerName was added
    # # - "kubernetes.io/legacy-unknown"
    verbs:
    - approve
    - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - ""
    resources:
    - namespaces/status
    verbs:
    - get
    - apiGroups:
    - ""
    resources:
    - serviceaccounts
    verbs:
    - get
    - list
    - patch
    - update
    - watch
    - apiGroups:
    - ""
    resources:
    - serviceaccounts/status
    verbs:
    - get
    - patch
    - update
    - apiGroups:
    - tcr.tencentcloudcr.com
    resources:
    - imagepullsecrets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
    - apiGroups:
    - tcr.tencentcloudcr.com
    resources:
    - imagepullsecrets/status
    verbs:
    - get
    - patch
    - update

    Operation step

    1. Log into the Tencent Kubernetes Engine Console, and choose Cluster from the left navigation bar.
    2. In the Cluster list, click the desired Cluster ID to access its detailed page.
    3. Select Add-on management from the left-side menu, and click Create on the Add-on management page.
    4. On the Create an Add-On page, select TCR, and click Parameter Configuration.
    5. On the TCR Component Parameter Configuration page, refer to the following information for configuration:
    Select an associated instance: select an existing instance of the TCR Enterprise edition under the currently logged-in account and confirm that the currently logged-in user has permission to create a long-term access credential for the instance. If you need to create a new Enterprise Edition instance, create it in the region where the current cluster is located.
    Configure password-free pulling (enabled by default): you can choose to issue the access credential automatically for the current user, or specify the username and password. You can also configure the namespace and ServiceAccount for the desired Secret-free pulling. We recommend that you keep the default configuration to make sure this feature works on the new namespace.
    Configure private network resolving (advanced feature): make sure that there is already a private network linkage between the cluster and the associated TCR instance, and enable the private network resolving feature. Note that this configuration is only recommended for test scenarios. For resolving, you can use the private network linkage provided by TCR, orPrivateDNS, or your own DNS service.
    6. Click Complete to create the component. After the component is created, if you need to modify the related configuration, please delete the component to reconfigure and install.
    Note:
    When the TCR add-on is deleted, the created dedicated access credential is not automatically deleted. You can go to the TCR console to manually disable or delete the credential.

    How It Works

    Overview

    TCR Assistant helps you implement the auto-process of deploying k8s imagePullSecret to any namespace, and associate it with the ServiceAccount of the namespace. If you do no explicitly specify the imagePullSecret and serviceAccount when create the workload, K8s will try find the matched imagePullSecret from the ServiceAccount named default under the namespace.

    Glossary

    Name
    Alias
    Description
    ImagePullSecret
    ips, ipss
    The CRD defined by TCR Assistant. It’s used to store the username and password of the image repository, and issue the target Namespace and ServiceAccount.

    How it works

    
    
    
    TCR Assistant is a classic K8s Operator. Upon deployment of TCR Assistant, the CRD object imagepullsecrets.tcr.tencentcloudcr.com is created automatically. This CRD’s kind is ImagePullSecret, and its version is tcr.tencentcloudcr.com/v1, with the alias as ips or ipss.
    TCR Assistant keeps watching the resource status of Namespace and ServiceAccount in the cluster. When there are resource changes, it checks whether the changes match the rules set in ImagePullSecret. If yes, it automatically deploys the Secret required to pull the private image repository. TCR Assistant is usually deployed in a K8s cluster, and accesses K8s master API in in cluster mode.

    Creating CRD resources

    When TCR Assistant is deployed, the Secret used to pull TCR image is not deployed in the target K8s cluster. You need to create ImagePullSecret using kubectl or Client Go.
    # Create ImagePullSecret resource
    $ kubectl create -f allinone/imagepullsecret-sample.yaml
    
    imagepullsecret.tcr.tencentcloudcr.com/imagepullsecret-sample created
    ImagePullSecret resource sample file (allinone/imagepullsecret-sample.yaml):
    apiVersion: tcr.tencentcloudcr.com/v1
    kind: ImagePullSecret
    metadata:
    name: imagepullsecret-sample
    spec:
    namespaces: "*"
    serviceAccounts: "*"
    docker:
    username: "100012345678"
    password: tcr.jwt.token
    server: fanjiankong-bj.tencentcloudcr.com
    Description of ImagePullSecret spec fields:
    Field
    Description
    Remarks
    namespaces
    NameSpace matching rule
    Match any namespace: * or blank; Match any of multiple namespaces: enter the resource names and separate them with ,. Note: Expressions are not supported. Please enter the exact resource name.
    serviceAccounts
    serviceAccounts matching rule
    Match any namespace: * or blank; Match any of multiple namespaces: enter the resource names and separate them with ,. Note: Expressions are not supported. Please enter the exact resource name.
    docker.server
    Image repository domain name
    Please enter only the repository domain name
    docker.username
    Image repository username
    Make sure the user has all the required permissions
    docker.password
    Password of the image repository username
    -
    After the creation, you can run the following command to check execution result of TCR Assistant:
    # List ImagePullSecret information
    $ kubectl get ipss
    NAME NAMESPACES SERVICE-ACCOUNTS SECRETS-DESIRED SECRETS-SUCCESS
    imagepullsecret-sample * * 10 10
    
    # Check details
    $ kubectl describe ipss
    Name: imagepullsecret-sample
    Namespace:
    Labels: <none>
    Annotations: <none>
    API Version: tcr.tencentcloudcr.com/v1
    Kind: ImagePullSecret
    Metadata:
    Creation Timestamp: 2021-12-01T06:47:34Z
    Generation: 1
    Manager: kubectl-client-side-apply
    Operation: Update
    Time: 2021-12-01T06:47:34Z
    API Version: tcr.tencentcloudcr.com/v1
    Manager: manager
    Operation: Update
    Time: 2021-12-01T06:47:38Z
    Resource Version: 30389349
    UID: 2109f384-240b-405c-9ce8-73ce938a7c2f
    Spec:
    Docker:
    Password: tcr.jwt.token
    Server: fanjiankong-bj.tencentcloudcr.com
    Username: 100012345678
    Namespaces: *
    Service Accounts: *
    Status:
    S As Desired: 47
    S As Success: 1
    Secret Update Successful:
    Namespaced Name: kube-public/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: devtools/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: demo/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: kube-system/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: tcr-assistant-system/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: kube-node-lease/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: cert-manager/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: default/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:36Z
    Namespaced Name: afm/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:37Z
    Namespaced Name: lens-metrics/tcr.ipsimagepullsecret-sample
    Updated At: 2021-12-01T06:47:37Z
    Secrets Desired: 10
    Secrets Success: 10
    Service Accounts Modify Successful:
    Namespaced Name: default/default
    Updated At: 2021-12-01T06:47:38Z
    Events: <none>
    
    Note:
    If it's necessary to update the Secret resource of the TCR Assistant deployment, there's no need to delete and rebuild the ImagePullSecret resource. Simply editing the docker.username and docker.password fields will make it effective. For instance:
    $ kubectl edit ipss imagepullsecret-sample

    Namespace updates

    When TCR Assistant detects new K8s Namespace, it checks whether the name of the resource matches the namespaces field of ImagePullSecret. If the names are not matched, it goes to the next step. If the names are matched, K8s API is invoked to create a Secret resource, and the Secret name is added to the imagePullSecrets of ServiceAccount. See below for examples:
    # Check the Secret automatically deployed under newns
    $ kubectl get secrets -n newns
    NAME TYPE DATA AGE
    tcr.ipsimagepullsecret-sample kubernetes.io/dockerconfigjson 1 7m2s
    default-token-nb5vw kubernetes.io/service-account-token 3 7m2s
    
    # Check the Secret automatically associated with the `ServiceAccount` resource name `default` under newns
    $ kubectl get serviceaccounts default -o yaml -n newns
    apiVersion: v1
    imagePullSecrets:
    - name: tcr.ipsimagepullsecret-sample
    kind: ServiceAccount
    metadata:
    creationTimestamp: "2021-12-01T07:09:56Z"
    name: default
    namespace: newns
    resourceVersion: "30392461"
    uid: 7bc67144-3685-4666-ba41-b1447bbbaa38
    secrets:
    - name: default-token-nb5vw
    

    ServiceAccount updates

    When TCR Assistant detects new K8s ServiceAccount, it checks whether the name of the resource matches the serviceAccounts field of ImagePullSecret. If the names are not matched, it goes to the next step. If the names are matched, K8s API is invoked to create or update Secret resource, and the Secret name is added to the imagePullSecrets field of ServiceAccount. See below for examples:
    # Create ServiceAccount resource under newns
    $ kubectl create sa kung -n newns
    serviceaccount/kung created
    
    # Check the Secret automatically associated with the newly-created `ServiceAccount` resource name `kung` under newns
    $ kubectl get serviceaccounts kung -o yaml -n newns
    apiVersion: v1
    imagePullSecrets:
    - name: tcr.ipsimagepullsecret-sample
    kind: ServiceAccount
    metadata:
    creationTimestamp: "2021-12-01T07:19:12Z"
    name: kung
    namespace: newns
    resourceVersion: "30393760"
    uid: e236829e-d88e-4feb-9e80-5e4a40f2aea2
    secrets:
    - name: kung-token-fljt8
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support