Help Center> Cloud Container Engine> User Guide> Old Console> Workloads> Configuring a Container> Using a Third-Party Image

View PDF

Using a Third-Party Image

Scenario

CCE allows you to create workloads using images pulled from third-party image repositories.

Generally, a third-party image repository can be accessed only after authentication (using your account and password). CCE uses the secret-based authentication to pull images. Therefore, you need to create a secret for an image repository before pulling images from the repository.

Prerequisites

The node where the workload is running is accessible from public networks. You can access public networks through LoadBalancer or DNAT.

Using the Console

Create a secret for accessing a third-party image repository.

In the navigation pane, choose Configuration Center > Secret, and click Create Secret. Type must be set to kubernetes.io/dockerconfigjson. For details, see Creating a Secret.

Enter the user name and password used to access the third-party image repository.

Figure 1 Creating a secret
Create a workload. For details, see Creating a Deployment or Creating a StatefulSet. If the workload will be created from a third-party image, set the image parameters as follows:
1. Set Secret Authentication to Yes.
2. Select the secret created in step 1.
3. Enter the image address.
Click Create.

Using kubectl

Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.
Create a secret of the dockercfg type using kubectl.
```
kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
```
In the preceding commands, myregistrykey indicates the secret name, and other parameters are described as follows:
- DOCKER_REGISTRY_SERVER: address of a third-party image repository, for example, www.3rdregistry.com or 10.10.10.10:443
- DOCKER_USER: account used for logging in to a third-party image repository
- DOCKER_PASSWORD: password used for logging in to a third-party image repository
- DOCKER_EMAIL: email of a third-party image repository

Use a third-party image to create a workload.

A dockecfg secret is used for authentication when you obtain a private image. The following is an example of using the myregistrykey for authentication.

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: default
spec:
  containers:
    - name: foo
      image: www.3rdregistry.com/janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey              #Use the created secret.

Unknown or Insecure Certificates Used by a Remote Image Repository

When pulling an image from a third-party repository that uses an unknown or insecure certificate, you will find that the attempt fails, a related pod event is reported, and the error cause is "x509: certificate signed by unknown authority", as shown below.

The security of EulerOS 2.9 images is enhanced. Some insecure or expired well-known certificates have been removed from the system. For some third-party images, it is normal that this error is reported for nodes running on EulerOS 2.9, but not on other types of nodes. You can perform the following operations to rectify the fault.

Solution:

Check the IP address and port number of the third-party image server for which the error message "unknown authority" is displayed.

You can find the IP address and port number of the third-party image server in the error event, as shown below.

Failed to pull image "bitnami/redis-cluster:latest": rpc error: code = Unknown desc = error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/e8/e83853f03a2e792614e7c1e6de75d63e2d6d633b4e7c39b9d700792ee50f7b56/data?verify=1636972064-AQbl5RActnudDZV%2F3EShZwnqOe8%3D: x509: certificate signed by unknown authority

The IP address of the third-party image server is production.cloudflare.docker.com, and the default HTTPS port number is 443.

Load the root certificate of the third-party image server to the node where the third-party image is to be pulled.

Run the following command on the EulerOS and CentOS nodes (replace {server_url}:{server_port} with the IP address and port number in Step 1, for example, production.cloudflare.docker.com:443):
If the container engine of the node is containerd, replace systemctl restart docker in the last step with systemctl restart containerd.
```
openssl s_client -showcerts -connect {server_url}:{server_port} < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/tmp_ca.crt
update-ca-trust
systemctl restart docker
```
Run the following commands on Ubuntu nodes:
```
openssl s_client -showcerts -connect {server_url}:{server_port} < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/tmp_ca.crt
update-ca-trust
systemctl restart docker
```

Parent topic: Configuring a Container

Last Article: Configuring a Container

Next Article: Setting Container Specifications

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English