The Tencent Container Registry (TCR) Enterprise Edition provides enterprise-grade exclusive and secure image hosting services for enterprise-grade container customers who have strict data security and compliance requirements, businesses distributed across multiple regions, and large cluster scales. Compared with the TCR Personal Edition, the TCR Enterprise Edition supports container image secure scanning, cross-region automatic synchronization, Helm chart hosting, network access control, and other features. For more information, see Tencent Container Registry.
This document describes how to use a private image hosted in TCR to deploy applications in Tencent Kubernetes Engine (TKE).
Before you use a private image hosted in TCR to deploy applications in TKE, ensure that you have completed the following operations:
A new TCR Enterprise Edition instance does not have a default namespace, and a namespace cannot be automatically created through the pushed image. Therefore, create a namespace as required. For more information, see Manage namespaces.
We recommend that the namespace be named according to the project or team name. In this document, docker
is used as an example. The following page appears after the namespace is created.
Container images are hosted in specific image repositories. Create an image repository as required. For more information, see Manage Image Registry. Set the image repository name to the name of the container image to be deployed. In this document, getting-started
is used as an example. The following page appears after the image repository is created.
Note:
Use Docker CLI or another image tool, such as jenkins, to push the image to the TCR Enterprise Edition instance. If no image repository exists, an image repository will be automatically created. You do not need to create one in advance.
You can use Docker CLI or another image, such as jenkins to push an image to a specific image repository. Here, the Docker CLI is used to push images. To push a container image, you need to use a CVM or physical server with Docker installed and ensure that the client is allowed to access the instance. For more information, see Network Access Control Overview.
demo-tcr
, docker
, and getting-started
with the names of the actual instance, namespace, and image repository you have created.docker tag getting-started:latest demo-tcr.tencentcloudcr.com/docker/getting-started:latest
docker push demo-tcr.tencentcloudcr.com/docker/getting-started:latest
After the image is pushed, you can go to the "Image Repository" page in the TCR console and select a repository name to view details.TCR Enterprise Edition instances support network access control and deny all external access by default. You can select a public network or private network for a TKE cluster to access a specific instance and pull the container image based on the network configuration of the TKE cluster. If the TKE cluster and TCR instance are deployed in the same region, we recommend that the TKE cluster pull the container image through a private network to accelerate pulling and reduce public network traffic costs.
Log in to the TKE console and click Cluster in the left sidebar.
On the "Cluster Management" page, click the ID of the target cluster to go to the cluster details page.
On the cluster details page, click Component management in the left sidebar to go to the "Component management" page and click Create.
On the "Create an add-on" page, select "TCR", as shown below.
Note:
The TCR add-on only supports clusters in Kubernetes 1.14 or 1.16. If you use another cluster version, manually configure the access method.
On the "TCR add-on parameter settings" page, configure related parameters based on the add-on configuration method in View Details, as shown below:
Click OK to return to the add-on selection page.
On the add-on selection page, click Done to install the TCR add-on for the cluster.
After the add-on is installed, the cluster can pull images from the associated instance without needing a password through a private network, as shown below.
echo '172.21.17.69 demo.tencentcloudcr.com' >> /etc/hosts
echo '172.21.17.69 demo.tencentcloudcr.com' >> /etc/hosts
Replace 172.21.17.69
and demo.tencentcloudcr.com
with the private network resolution IP address and TCR instance domain name that you use.
When creating a namespace, follow the steps below to deliver an access credential:
1000090225xx-tcr-m3ut3qxx-dockercfg
, choose Configuration Management > Secret. 1000090225xx
indicates the UIN of the sub-account used to create the namespace, and tcr-m3ut3qxx
indicates the ID of the selected instance.Perform the following steps to deliver the access credential to an existing namespace:
Was this page helpful?