Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Private Registry in Kubernetes Container Factory #528

Open
dgrove-oss opened this issue Sep 20, 2019 · 5 comments
Open

Support Private Registry in Kubernetes Container Factory #528

dgrove-oss opened this issue Sep 20, 2019 · 5 comments
Labels
help wanted

Comments

@dgrove-oss
Copy link
Member

Per discussion on dev list [1] we should make KCF more flexible by loading a default Pod spec for user actions from a config map and then adding information to that default.

https://lists.apache.org/thread.html/7f8cadfc04c5a4c7533f71d5e5c9f6371a389da53ebb95b3f65a7c4e@%3Cdev.openwhisk.apache.org%3E
@dgrove-oss dgrove-oss changed the title Support Private Registrys in Kubernetes Container Factory Support Private Registry in Kubernetes Container Factory Sep 20, 2019
@SchuhMichael
Copy link

Currently looking at this, because for us it is not straight forward to move from container factory "docker" to "kubernetes".

With "docker", we have a simple script mounted as config map with the invoker-scripts, which logs in the invoker's docker daemon into one system wide blackbox registry (Gitlab). As a drawback, anyone with access to the system, is then able to create actions from any docker image accessible with the used credentials.

This solution still comes from before the merging of #4503, which has meanwhile enabled custom public registries for user provided images.

For a more complete picture, with respect to multi-tenancy, I suggest adding configuration options for private registries for user provided images to

  1. the deployment (global, default docker hub)
  2. namespaces (optional, default None)
  3. actions (optional, default None)

Users could then create an action by passing the image as complete link including url and optionally also username and access token. Only when the user omits a registry url, it would be inherited from the namespace first, and only if the namespace does not have a registry configured, the system-wide setting would be used, which may default to docker hub.

@dgrove-oss dgrove-oss mentioned this issue Jan 3, 2020
Closed
@dgrove-oss
Copy link
Member Author

Related feature request in core repository: apache/openwhisk#4787

@belfhi
Copy link

belfhi commented May 5, 2020
edited
Loading

Since there was a pull request that was merged in the main repository, can this be used in the kubernetes deployment? apache/openwhisk#4791

@dgrove-oss
Copy link
Member Author

I believe apache/openwhisk#4791 would only be useful when using the DockerContainerFactory. Generally speaking, recent Kubernetes versions have changed from using docker to using containerd as the underlying container engine. If your Kubernetes cluster is using containerd, then you can't use the DockerContainerFactory. There's a little more discussion of choosing the container factory at https://github.com/apache/openwhisk-deploy-kube/blob/master/docs/configurationChoices.md#invoker-container-factory

@jrebmann
Copy link

Is there any update on this issue? I also like to pull runtime images from a private registry.
I'm using kubernetes 1.27.4 which uses containerd. Therefore I cannot use the DockerContainerFactory.

Any idea or workarounds are welcome.

@jrebmann jrebmann mentioned this issue Jul 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dgrove-oss @belfhi @SchuhMichael @jrebmann