Private container registries
When you deploy a workload in Cloudfleet Kubernetes Engine (CFKE), you can pull container images from public or private container registries. This guide explains how to pull container images from private registries in CFKE.
CFKE has built-in support to pull images from AWS Elastic Container Registry or GCP Artifact Registry without using hardcoded credentials. For these services, you can authorize Cloudfleet-owned roles from GCP and AWS to pull images from your private registries.
AWS Elastic Container Registry
CFKE has all the necessary setup to assume an AWS role owned by Cloudfleet. By authorizing this role on your AWS account, you can allow CFKE to pull images from your private ECR repositories. CFKE authenticates to this role.
To authorize the provider to access the ECR repository, you need to create a policy in the ECR repository. The policy should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRRepositoryPolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CLOUDFLEET_AWS_ACCOUNT_ID:role/cfke-CLUSTER_ID"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Replace CLOUDFLEET_AWS_ACCOUNT_ID with the corresponding Cloudfleet AWS account ID based on your control plane region. The possible values are:
| Control Plane Region | Cloudfleet AWS Account ID |
|---|---|
| europe-central-1a | 902873844300 |
| northamerica-central-1a | 891376988818 |
Replace CLUSTER_ID with the cluster ID.
GCP Artifact Registry
To authorize CFKE to access the Artifact Registry, you need to authorize the following principal in the relevant Artifact Registry repository with the artifactregistry.reader role:
principal://iam.googleapis.com/projects/CLOUDFLEET_GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/cfke/subject/CLUSTER_ID
Replace CLOUDFLEET_GCP_PROJECT_NUMBER with the Cloudfleet GCP project number based on your control plane region. The possible values are:
| Control Plane Region | Cloudfleet GCP Project Number |
|---|---|
| europe-central-1a | 207152264238 |
| northamerica-central-1a | 89014267864 |
Replace CLUSTER_ID with the cluster ID.
Other Private Registries
If you are using a private registry other than AWS ECR or GCP Artifact Registry, you need to provide the hardcoded credentials to CFKE. You can create a Kubernetes secret with the credentials and mount it to the pod that needs to pull the image. Please follow the Kubernetes documentation to learn how to set this up.