This document describes how to use the TCR plug-in in Tencent Kubernetes Engine (TKE) to enable secret-free pulling of container images in an Enterprise Edition instance through the private network and to create workloads.
Before using a private image hosted in TCR Enterprise Edition to deploy applications in TKE, complete the following operations:
A new TCR Enterprise Edition instance does not have a default namespace, and a namespace cannot be automatically created through the pushed image. Therefore, create a namespace as required. For more information, see Manage namespaces.
We recommend that the namespace be named based on the project or team name. In this document,
docker is used as an example. The following page appears after the namespace is created.
Container images are hosted in specific image repositories. Create an image repository as required. For more information, see Managing Image Registry. Set the image repository name to the name of the container image to be deployed. In this document,
getting-started is used as an example. The following page appears after the image repository is created.
Use Docker CLI or another image tool, such as jenkins, to push the image to the TCR Enterprise Edition instance. If no image repository exists, an image repository will be automatically created. You do not need to create one in advance.
You can use Docker CLI or another image building tool, such as jenkins, to push an image to a specific image repository. Here, the Docker CLI is used to push images. In this step, you need to use a CVM or CPM with Docker installed and ensure that the target client is in the public or private network access allowlist defined in Network Access Control Overview.
getting-startedwith the actual instance, namespace, and image repository names that you created.
docker tag getting-started:latest demo-tcr.tencentcloudcr.com/docker/getting-started:latest
After the image is pushed, you can go to the Image Repository page in the TCR console and click the name of a repository to view its details.
docker push demo-tcr.tencentcloudcr.com/docker/getting-started:latest
TCR Enterprise Edition instances support network access control and deny all external access by default. You can select public network or private network access for a TKE cluster to access a specific instance and pull the container image based on the network configuration of the TKE cluster. If the TKE cluster and TCR instance are deployed in the same region, we recommend that the TKE cluster pull the container image through the private network to accelerate pulling and reduce public network traffic costs.
For the data security, the new TCR instance denies all external access by default. To allow the specified TKE cluster to access the TCR instance to pull the image, you need to associate the VPC where the cluster is located to the TCR instance, and configure the corresponding private network domain resolutions.
If you are using TKE, refer to TCR to install the TCR add-on in the TKE cluster and select Enable Private Network Parsing in the TCR Add-on Parameter Settings window. For nodes in the cluster, this plug-in can automatically configure private network resolution for the associated TCR instance. This enables secret-free pulling of images in the instance through the private network.
After the add-on is installed, the cluster can pull images from the associated instance without needing a password through a private network.
Currently, the TCR add-on only supports clusters in Kubernetes 1.14, 1.16, and 1.18. If you are using another cluster version, manually configure the access method.