Updated on 2026-06-16 GMT+08:00

Configuring Secret-Free Image Pull

To deploy a containerized application, you need to configure imagePullSecrets so Kubernetes can correctly pull container images from your private repository. However, this process is complex and introduces security risks, as long-term credentials are susceptible to leaks, while temporary credentials need frequent updates. To resolve this issue, CCE introduces secret-free container image pull. With this function, you can create workloads without explicitly specifying imagePullSecrets. Images are pulled automatically, streamlining operations while enhancing security.

You can configure secret-free image pull in the following ways:

Notes and Constraints

  • Secret-free image pull via node agency is available only in clusters v1.28.15-r70, v1.29.15-r30, v1.30.14-r30, v1.31.10-r30, v1.32.6-r30, v1.33.5-r20, v1.34.1-r0, or later.
  • Secret-free image pull via service account agency is available only in clusters v1.34.3-r10, v1.35.1-r0, or later.
  • Secret-free image pull only applies to node pools. To enable this function, you need to configure an agency for the node pools or service accounts and assign required permissions.
  • After nodes are migrated from a node pool with secret-free image pull enabled to the default pool, these nodes can no longer pull images without an imagePullSecret.
  • Keep the agency alive. If you delete it or let it expire, secret-free pulls will stop working.

Using a Node Agency

Grant SWR agency permissions to a node pool to enable secret-free image pull. Workloads created in that node pool can then pull images without secrets.

Creating an Agency and Assigning Permissions

  1. Log in to the IAM console and choose Agencies in the navigation pane.
  2. Click Create Agency in the upper right corner, set Agency Type to Cloud service, and assign permissions to the ECS or BMS agency. For details, see Creating an Agency and Assigning Permissions.

    You are advised to create a permanent agency, or CCE service deployment will be affected after the agency expires.

  3. Click OK and then grant SWR permissions to the agency.

    • To only pull images from SWR Basic Edition without a secret, assign the following permissions:
      • swr:repo:download: grants permission to download images from SWR.
      • swr:system:createLoginSecret: generates temporary login credentials for SWR.

      The following is a JSON example:

      {
          "Version": "1.1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "swr:repo:download",
                      "swr:system:createLoginSecret"
                  ]
              }
          ]
      }
    • To pull images from SWR Enterprise Edition without a secret, grant the following permissions:
      • swr:repository:downloadArtifact: grants permission to pull images from SWR Enterprise Edition.
      • swr:instance:createTempCredential: grants permission to create temporary access credentials for SWR Enterprise Edition.
      • swr:instance:list: lists SWR Enterprise Edition registries.
      • sts::createServiceBearerToken: (required only with IAM 5.0) allows you to obtain a bearer token.

      The following is a JSON example:

      {
          "Version": "1.1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "swr:repository:downloadArtifact",
                      "swr:instance:createTempCredential",
                      "swr:instance:list"
                  ]
              }
          ]
      }

      If using IAM 5.0, add the sts::createServiceBearerToken action to grant permission to obtain a bearer token.

      {
          "Version": "5.0",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "swr:repository:downloadArtifact",
                      "swr:instance:createTempCredential",
                      "swr:instance:list",
                      "sts::createServiceBearerToken"
                  ]
              }
          ]
      }

Enabling Secret-Free Image Pull

  1. Log in to the CCE console.
  2. Click the cluster name to access the cluster console. In the navigation pane, choose Nodes.
  3. Create a node pool. When creating the node pool, select the created agency (Agency under Advanced Settings).

    If a node pool has been created in the cluster, you can update the pool. When updating the node pool, select the created agency (Agency under Advanced Settings).
    • If the node pool already has nodes, the updated agency does not apply to the existing nodes. You need to go to the ECS console and manually associate the agency with the target nodes.
    • If an agency has been configured for the node pool, you only need to grant SWR permissions to the agency.

  4. Locate the node pool and choose More > Manage. In the kubelet area, enable Password-Free Image Pull (enable-swr-credential-provider) and click OK.

    This operation will restart the kubelet process. To minimize the impacts on services, perform this operation during off-peak hours. The modification will gradually apply to all nodes in the node pool.

Verifying the Secret-Free Image Pull Settings

If you create a workload in a node pool with secret-free image pull enabled, you can pull private SWR images without any imagePullSecret.

The following shows a workload configuration example:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    appgroup: ''
    version: v1
  name: deployment1
  namespace: default
spec:
  selector:
    matchLabels:
      app: deployment1
      version: v1
  template:
    metadata:
      labels:
        app: deployment1
        version: v1
    spec:
      containers:
        - name: container-1
          image: "{image_name}"  # The path to a private SWR image
          imagePullPolicy: Always
      terminationGracePeriodSeconds: 30
      affinity:  # Workloads are scheduled only to nodes whose pool has secret-free image pull configured.
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: cce.cloud.com/cce-nodepool
                    operator: In
                    values:
                      - "{nodepool_name}"  # The name of the node pool with secret-free image pull configured
  replicas: 1
  revisionHistoryLimit: 10
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  progressDeadlineSeconds: 600

In this example, if the workload (no imagePullSecrets) can be scheduled to the specified node pool and pulls the private SWR image, the node pool's secret-free image pull is working.

Using a Service Account

Grant SWR agency permissions to a service account to enable secret-free image pull for a node pool. Workloads created in that node pool can then pull images without secrets.

Creating an Agency and Assigning Permissions

  1. Log in to the IAM console and choose Agencies in the navigation pane.
  2. Click Create Agency in the upper right corner, set Agency Type to Cloud service, and assign permissions to CCE. For details, see Creating an Agency and Assigning Permissions.

    You are advised to create a permanent agency, or CCE service deployment will be affected after the agency expires.

  3. Click OK and then grant SWR permissions to the agency.

    • To only pull images from SWR Basic Edition without a secret, assign the following permissions:
      • swr:repo:download: grants permission to download images from SWR.
      • swr:system:createLoginSecret: generates temporary login credentials for SWR.

      The following is a JSON example:

      {
          "Version": "1.1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "swr:repo:download",
                      "swr:system:createLoginSecret"
                  ]
              }
          ]
      }
    • To pull images from SWR Enterprise Edition without a secret, grant the following permissions:
      • swr:repository:downloadArtifact: grants permission to pull images from SWR Enterprise Edition.
      • swr:instance:createTempCredential: grants permission to create temporary access credentials for SWR Enterprise Edition.
      • swr:instance:list: lists SWR Enterprise Edition registries.
      • sts::createServiceBearerToken: (required only with IAM 5.0) allows you to obtain a bearer token.

      The following is a JSON example:

      {
          "Version": "1.1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "swr:repository:downloadArtifact",
                      "swr:instance:createTempCredential",
                      "swr:instance:list"
                  ]
              }
          ]
      }

      If using IAM 5.0, add the sts::createServiceBearerToken action to grant permission to obtain a bearer token.

      {
          "Version": "5.0",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "swr:repository:downloadArtifact",
                      "swr:instance:createTempCredential",
                      "swr:instance:list",
                      "sts::createServiceBearerToken"
                  ]
              }
          ]
      }

Creating a Service Account and Associating an Agency

  1. Log in to the CCE console. In the navigation pane, choose Permissions and switch to the Pod Identity Association tab.
  2. Select the cluster for which you want to create a pod identity association from the drop-down list on the left and click Create.
  3. Select the created agency and the namespace of the workload.
  4. Click Create Service Account and configure the following parameters:

    • Namespace: Select the namespace for the service account. The namespace must be the same as that of the workload.
    • Service Account Name: Enter a custom name for the service account.
    • Annotation: Add the annotation credential.swr.io/enable-workload-cred: true.

  5. Select the service account created in the previous step and click OK to complete the pod identity association.

Enabling Secret-Free Image Pull

  1. Log in to the CCE console.
  2. Click the cluster name to access the cluster console. In the navigation pane, choose Nodes.
  3. Create a node pool or use an existing one.
  4. Locate the node pool and choose More > Manage. In the kubelet area, enable Password-Free Image Pull (enable-swr-credential-serviceaccount-provider) via service account and click OK.

    This operation will restart the kubelet process. To minimize the impacts on services, perform this operation during off-peak hours. The modification will gradually apply to all nodes in the node pool.

Verifying the Secret-Free Image Pull Settings

If you create a workload in a node pool with secret-free image pull enabled, you can pull private SWR images without any imagePullSecret.

The following shows a workload configuration example:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    appgroup: ''
    version: v1
  name: deployment1
  namespace: default # The namespace used for configuring a service account
spec:
  selector:
    matchLabels:
      app: deployment1
      version: v1
  template:
    metadata:
      labels:
        app: deployment1
        version: v1
        credential.swr.io/enable-workload-cred: on # Key configuration: Use a label to identify that the workload uses secret-free image pull.
    spec:
      serviceAccountName: swr-secretless-sa  # Key configuration: Specify a service account associated with an agency. If this parameter is not set, the default service account will be used.
      containers:
        - name: container-1
          image: "{image_name}"  # The path to a private SWR image
          imagePullPolicy: Always
      terminationGracePeriodSeconds: 30
      affinity:  # Workloads are scheduled only to nodes whose pool has secret-free image pull configured.
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: cce.cloud.com/cce-nodepool
                    operator: In
                    values:
                     - "{nodepool_name}"  # The name of the node pool with secret-free image pull configured
  replicas: 1
  revisionHistoryLimit: 10
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  progressDeadlineSeconds: 600

In this example, if the workload (without imagePullSecrets) is scheduled to the specified node pool and successfully pulls the private SWR image, the node pool's secret-free image pull via service account is working.