openwhisk-deploy-kube
openwhisk-deploy-kube copied to clipboard
Support Private Registry in Kubernetes Container Factory
Per discussion on dev list [1] we should make KCF more flexible by loading a default Pod spec for user actions from a config map and then adding information to that default.
https://lists.apache.org/thread.html/7f8cadfc04c5a4c7533f71d5e5c9f6371a389da53ebb95b3f65a7c4e@%3Cdev.openwhisk.apache.org%3E
Currently looking at this, because for us it is not straight forward to move from container factory "docker" to "kubernetes".
With "docker", we have a simple script mounted as config map with the invoker-scripts, which logs in the invoker's docker daemon into one system wide blackbox registry (Gitlab). As a drawback, anyone with access to the system, is then able to create actions from any docker image accessible with the used credentials.
This solution still comes from before the merging of #4503, which has meanwhile enabled custom public registries for user provided images.
For a more complete picture, with respect to multi-tenancy, I suggest adding configuration options for private registries for user provided images to
- the deployment (global, default docker hub)
- namespaces (optional, default None)
- actions (optional, default None)
Users could then create an action by passing the image as complete link including url and optionally also username and access token. Only when the user omits a registry url, it would be inherited from the namespace first, and only if the namespace does not have a registry configured, the system-wide setting would be used, which may default to docker hub.
Related feature request in core repository: https://github.com/apache/openwhisk/issues/4787
Since there was a pull request that was merged in the main repository, can this be used in the kubernetes deployment? https://github.com/apache/openwhisk/pull/4791
I believe https://github.com/apache/openwhisk/pull/4791 would only be useful when using the DockerContainerFactory. Generally speaking, recent Kubernetes versions have changed from using docker to using containerd as the underlying container engine. If your Kubernetes cluster is using containerd, then you can't use the DockerContainerFactory. There's a little more discussion of choosing the container factory at https://github.com/apache/openwhisk-deploy-kube/blob/master/docs/configurationChoices.md#invoker-container-factory