This document describes how to use the TCR plug-in in Tencent Kubernetes Engine (TKE) to enable secret-free pulling of container images in an Enterprise Edition instance through the private network and to create workloads.
Before using a private image hosted in TCR Enterprise Edition to deploy applications in TKE, complete the following operations:
A new TCR Enterprise Edition instance does not have a default namespace, and a namespace cannot be automatically created through the pushed image. Therefore, create a namespace as required. For more information, see Managing Namespaces.
We recommend that the namespace be named based on the project or team name. In this document,
docker is used as an example. The following page appears after the namespace is created.
Container images are hosted in specific image repositories. Create an image repository as required. For more information, see Managing Image Registry. Set the image repository name to the name of the container image to be deployed. In this document,
getting-started is used as an example. The following page appears after the image repository is created:
Use Docker CLI or another image tool, such as jenkins, to push the image to the TCR Enterprise Edition instance. If no image repository exists, an image repository will be automatically created. You do not need to create one in advance.
You can use Docker CLI or another image building tool, such as jenkins, to push an image to a specific image repository. Here, the Docker CLI is used to push images. In this step, you need to use a CVM or CPM with Docker installed and ensure that the target client is in the Internet or private-network access allowlist defined in Network Access Control Overview.
Obtain an access credential for the TCR Enterprise Edition instance and run the Docker login command to log in to the instance. For more information on how to obtain an instance access credential, see Obtaining an Instance Access Credential.
After successful login, create a container image on the local server or obtain a public image from Docker Hub for testing.
This document uses the latest Nginx image on the official Docker Hub website as an example. In the command-line tool, run the following commands sequentially to push this image. Note to replace
getting-started with the actual instance, namespace, and image repository names that you created.
docker tag getting-started:latest demo-tcr.tencentcloudcr.com/docker/getting-started:latest
docker push demo-tcr.tencentcloudcr.com/docker/getting-started:latest
After the image is pushed, you can go to the Image Repository page in the TCR console and click the name of a repository to view its details.
TCR Enterprise Edition instances support network access control and deny all external access by default. You can select public-network or private-network access for a TKE cluster to access a specific instance and pull the container image based on the network configuration of the TKE cluster. If the TKE cluster and TCR instance are deployed in the same region, we recommend that the TKE cluster pull the container image through the private network to accelerate pulling and reduce public-network traffic costs.
Log in to the TKE console and click Cluster in the left sidebar.
On the "Cluster Management" page, click the ID of the target cluster to go to the cluster details page.
On the cluster details page, click Component management in the left sidebar to go to the "Component management" page and click Create.
On the "Create an add-on" page, select "TCR", as shown in the figure below:
Currently, the TCR add-on only supports clusters in Kubernetes 1.14, 1.16, and 1.18. If you are using another cluster version, manually configure the access method.
On the "TCR add-on parameter settings" page, configure parameters based on the add-on configuration method in View Details, as shown in the figure below:
Click OK to return to the add-on selection page.
On the add-on selection page, click Done to install the TCR add-on for the cluster.
After the add-on is installed, the cluster can pull images from the associated instance without needing a password through a private network, as shown in the figure below.