Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Container Registry is a managed container registry service. Use this service to store private Docker container images with enterprise capabilities such as geo-replication.
To access Container Registry from a cluster, store Docker sign-in credentials in a Kubernetes secret for authentication. A cluster can use an image pull secret in the pod specification to authenticate against the registry when you want to pull the image.
In this article, you learn how to set up a container registry with an Azure Red Hat OpenShift cluster to store and pull private Docker container images.
Prerequisites
This article assumes that you have an existing instance of Container Registry. If you don't, use the Azure portal or the Azure CLI instructions to create a container registry.
This article also assumes that you have an existing Azure Red Hat OpenShift cluster, and that you have the oc CLI installed. If not, follow the instructions in the Create cluster tutorial.
Get a pull secret
You need a pull secret from Container Registry to access the registry from your cluster. To get your pull secret credentials, use either the Azure portal or the Azure CLI.
If you use the Azure portal, go to your instance of Container Registry, and select Access keys. Your docker-username is the name of your container registry. Your docker-password is either password or password2.
Alternatively, use the Azure CLI to get these credentials:
az acr credential show -n <your registry name>
Create the Kubernetes secret
Now you can use these credentials to create a Kubernetes secret. Run the following command with your Container Registry credentials:
oc create secret docker-registry \
--docker-server=<your registry name>.azurecr.io \
--docker-username=<your registry name> \
--docker-password=<password> \
--docker-email=unused \
acr-secret
Note
This secret is stored in the current Azure Red Hat OpenShift project (Kubernetes namespace). Only pods created in that project can reference the secret. For more information about creating a cluster-wide pull secret, see the Red Hat documentation.
Link the secret to the service account
Next, link the secret to the service account that the pod uses, so the pod can reach the container registry. The name of the service account should match the name of the service account that the pod uses. default is the default service account.
oc secrets link default <pull_secret_name> --for=pull
Create a pod by using a private registry image
Now that you connected your cluster to your container registry, you can pull an image from your container registry to create a pod.
Start with a pod specification, and specify the secret that you created as an image pull secret.
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: <your registry name>.azurecr.io/hello-world:v1
imagePullSecrets:
- name: acr-secret
To test that your pod is running, execute this command and wait until the status is Running:
$ oc get pods --watch
NAME READY STATUS RESTARTS AGE
hello-world 1/1 Running 0 30s