openwhisk-deploy-kube icon indicating copy to clipboard operation
openwhisk-deploy-kube copied to clipboard

Published 20 hours ago verified publisher icon apache

Support Private Registry in Kubernetes Container Factory

Open dgrove-oss opened this issue 4 years ago • 5 comments

Per discussion on dev list [1] we should make KCF more flexible by loading a default Pod spec for user actions from a config map and then adding information to that default.

https://lists.apache.org/thread.html/7f8cadfc04c5a4c7533f71d5e5c9f6371a389da53ebb95b3f65a7c4e@%3Cdev.openwhisk.apache.org%3E

dgrove-oss avatar Sep 20 '19 15:09 dgrove-oss

Currently looking at this, because for us it is not straight forward to move from container factory "docker" to "kubernetes".

With "docker", we have a simple script mounted as config map with the invoker-scripts, which logs in the invoker's docker daemon into one system wide blackbox registry (Gitlab). As a drawback, anyone with access to the system, is then able to create actions from any docker image accessible with the used credentials.

This solution still comes from before the merging of #4503, which has meanwhile enabled custom public registries for user provided images.

For a more complete picture, with respect to multi-tenancy, I suggest adding configuration options for private registries for user provided images to

  1. the deployment (global, default docker hub)
  2. namespaces (optional, default None)
  3. actions (optional, default None)

Users could then create an action by passing the image as complete link including url and optionally also username and access token. Only when the user omits a registry url, it would be inherited from the namespace first, and only if the namespace does not have a registry configured, the system-wide setting would be used, which may default to docker hub.

SchuhMichael avatar Dec 18 '19 16:12 SchuhMichael

Related feature request in core repository: https://github.com/apache/openwhisk/issues/4787

dgrove-oss avatar Jan 03 '20 19:01 dgrove-oss

Since there was a pull request that was merged in the main repository, can this be used in the kubernetes deployment? https://github.com/apache/openwhisk/pull/4791

belfhi avatar May 05 '20 08:05 belfhi

I believe https://github.com/apache/openwhisk/pull/4791 would only be useful when using the DockerContainerFactory. Generally speaking, recent Kubernetes versions have changed from using docker to using containerd as the underlying container engine. If your Kubernetes cluster is using containerd, then you can't use the DockerContainerFactory. There's a little more discussion of choosing the container factory at https://github.com/apache/openwhisk-deploy-kube/blob/master/docs/configurationChoices.md#invoker-container-factory

dgrove-oss avatar May 07 '20 01:05 dgrove-oss