Help Center/ SoftWare Repository for Container/ Best Practices (Basic Edition)/ CCE Clusters Pull Images from SWR Basic Edition Without Passwords
Updated on 2025-11-21 GMT+08:00
View PDF
Share

CCE Clusters Pull Images from SWR Basic Edition Without Passwords

The username and its password are required for authentication when CCE clusters pull images from SWR Basic Edition. CCE clusters store these credentials in secrets. However, when deploying workloads, you still need to manually configure imagePullSecrets for each workload to pull images.

To simplify the deployment process and reduce the complexity of manual operations, CCE provides a solution that does not require imagePullSecrets. This solution makes image pull automatic and more convenient.

This solution can only be used when CCE clusters pull images from SWR Basic Edition.

Procedure

  1. Use kubectl to connect to the cluster. Run the following command to create the service account wr-service-account in namespace test-namespace: 

    kubectl create serviceaccount swr-service-account -n test-namespace
    • A service account is also called a ServiceAccount.
    • If you already have a service account or you want to use the default service account, skip this step.

  2. Run the following command to associate default-secret of CCE with the service account created in 1. 

    kubectl patch serviceaccount swr-service-account -p '{"imagePullSecrets": [{"name": "default-secret"}]}' -n test-namespace

    In this command,

    • test-namespace is the namespace of CCE. You need to specify the namespace images can be pulled for application deployment without a password.
    • swr-service-account is the name of the service account created in 1. If you use the default service account, replace swr-service-account in the command with default.

  3. Use the YAML file below to create a workload and set ServiceAccountName to the service account created in 1. If you use the default service account, you do not need to set ServiceAccountName. 

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: test-namespace #Specify the namespace where CCE can pull images without a password.
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: swr-service-account #Specify the service account associated with default-secret of CCE.
      containers:
      - name: nginx
        image: swr.cn-north-4.myhuaweicloud.com/nginx/nginx:latest # Specify the SWR image path.
        ports:
        - containerPort: 80

  4. Verify that the configuration is valid.

    Verify that an image can be pulled when you deploy a workload by following the instructions in 3. After a period of time, the workload status changes to Running.