DocsICP FilingConsole
官方文档
首页

Pull images from ACR Enterprise instances in the same account using the password-free component

更新时间:
复制 MD 格式
产品详情
我的收藏

The password-free component automates authentication when pulling images, eliminating the need to repeatedly configure imagePullSecrets. This topic describes how to install, configure, and use the password-free component, along with important considerations.

How it works

When using ACR as an image source, if public anonymous pull is not enabled, your ACK cluster must provide a username and password for authentication each time it pulls an image. The common approach is to store the credentials in a Secret, but this introduces several issues:

  • A Secret stores credentials as Base64-encoded plaintext, posing a security risk.

  • You must manually specify imagePullSecrets for every workload.

  • Secrets cannot be used across namespaces.

The password-free component works as follows:

  1. The component retrieves temporary credentials (username and password) from the ACR instance.

  2. It stores these credentials in a Secret.

  3. It associates the Secret with the ServiceAccount specified in the component configuration.

  4. Workloads that use these ServiceAccounts automatically use the temporary credentials in the Secret to pull images.

The password-free component supports managing ServiceAccounts across multiple namespaces and periodically refreshes the temporary credentials to reduce security risks. It eliminates the need to manually configure imagePullSecrets in workloads and is provided at no additional cost.

Passwordless component comparison

ACK provides the aliyun-acr-credential-helper component in two forms: managed and self-managed. You can install only one version at a time. The following table compares the two versions.

Difference

aliyun-acr-credential-helper (managed)

aliyun-acr-credential-helper (self-managed)

Supported cluster versions

Version 1.22 or later of ACK managed cluster, ACK serverless cluster, ACK Edge cluster

version 1.20 or later ACK managed cluster, ACK dedicated cluster

Features

  • No operational overhead

  • Supports cross-account image pulls using RRSA

  • Supports querying component logs

  • Supports cross-account image pulls using Worker Role, RRSA, or AccessKey/SecretKey
To upgrade a cluster, see Manually upgrade a cluster.

Prerequisites

  • Your cluster version is supported by the password-free component. See the table above.

  • Your Container Registry (ACR) instance is an Enterprise instance.

    Important

    • aliyun-acr-credential-helper only supports Container Registry Enterprise Edition instances and Container Registry Personal Edition instances that were created on September 8, 2024 or earlier. If you cannot use aliyun-acr-credential-helper, see How do I use imagePullSecrets?.

  • The RAM role used by the password-free component has been granted permissions.

  • Network connectivity between your ACR Enterprise instance and ACK cluster is established.

    Configure network connectivity

    Before pulling images, ensure network connectivity and domain name resolution between your ACR Enterprise instance and ACK cluster. For same-account image pulls, use one of the following methods:

    • ACR VPC access control: When Container Registry Enterprise instances and Container Service for Kubernetes (ACK) clusters are in the same region, ACK clusters can access Container Registry instances via VPC. For more information, see network access control.

    • VPC peering connection: If your Container Registry (ACR) instance and Container Service for Kubernetes (ACK) cluster are not in the same VPC, you can use a VPC peering connection to connect the two VPCs, allowing the ACK cluster to access the ACR Enterprise instance. When the VPCs are in the same region, the peering connection feature is free of charge; when they are in different regions, charges apply. For more information, see billing documentation. However, to use this feature, the CIDR blocks of the two VPCs must not overlap. If the CIDR blocks already in use in the two VPCs significantly overlap, you must modify your existing network architecture.

      Steps to configure VPC peering

      1. Enable private domain name resolution for the ACR instance

        After you connect the ACR Enterprise Edition instance to the VPC, you can access the instance within the VPC by using its private domain name. After the configuration, obtain the VPC ID and the private IP address of the ACR Enterprise Edition instance.

      2. Obtain the domain name and IP address of the ACR instance

        Obtain the domain name and IP address of the authentication service used to access the ACR Enterprise Edition instance, and the domain name and IP address of the associated OSS bucket.

      3. Create a VPC peering connection and configure a route table

        You must add route entries that point to the peer VPC at both ends of the VPC peering connection to enable private communication between the VPCs for the ACK cluster and the ACR Enterprise Edition instance. At the ACK cluster's end of the VPC peering connection, you must also configure route entries for the IP address of the authentication service and the IP address of the associated OSS bucket.

      4. Resolve the ACR instance domain name for the ACK cluster

        Use methods such as adding a private DNS record or using a node pool custom data script to batch modify the /etc/hosts file. This resolves the ACR instance's domain name to its private IP address, allowing the ACK cluster to forward traffic to the ACR instance's VPC through the configured route entries.

    • Public network: If both your ACR Enterprise instance and ACK cluster have public network access, you can pull images over the public network. For more information, see Configure ACR public network access control and Enable public network access for your cluster.

Use the managed password-free component

Step 1: Install the component

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

  3. On the Add-ons page, click the Security tab. Find the aliyun-acr-credential-helper (managed) card and click Install.

  4. On the Install aliyun-acr-credential-helper page, you will see the AcrInstanceInfo configuration and other options. AcrInstanceInfo defines settings for each ACR instance associated with the component. Other options are general component settings. If you do not need to change the namespaces or ServiceAccounts the component monitors, keep the default values.

    After installation, go to the Add-ons page and click Configurations on the aliyun-acr-credential-helper (managed) card to update the component settings.

    image

    ACR instance association settings:

    AcrInstanceInfo

    Description

    InstanceId

    The ACR instance ID. You can find it in the Container Registry console.

    Important

    Leave blank for ACR Personal instances. Required for ACR Enterprise instances.

    regionId

    The region ID of your ACR instance. You can find it in the Container Registry console.

    Important

    Required for cross-region image pulls.

    domains

    The domain names the password-free plug-in uses to access your ACR instance. By default, all domains (public and VPC) of the ACR instance specified above are included. To specify particular domains, separate them with commas (,).

    Cross-account image pull settings

    Use these settings only for cross-account image pulls. Leave blank if not needed.

    assumeRoleARN

    No configuration is needed for same-account pulls. For cross-account pulls, see Pull images across accounts.

    expireDuration

    rrsaRoleARN

    rrsaOIDCProviderRoleARN

    Component settings

    Setting

    Description

    Enable RRSA

    Select this option to enable RRSA. No configuration is needed for same-account pulls. For cross-account pulls, see Pull images across accounts.

    watchNamespace

    The namespaces where you want password-free image pulls. Default: default. Use all to enable password-free pulls in all namespaces. To specify multiple namespaces, separate them with commas (,). We recommend configuring only your business namespaces and avoiding all or system namespaces to prevent interference with system component image pulls.

    serviceAccount

    Specify the service accounts that are associated with managed aliyun-acr-credential-helper. Default value is Default. When the value is set to Default, it applies to the default service account in each specified namespace. If set to (*), it supports all service accounts in the specified namespace. To configure multiple service accounts, separate them with commas (,).

    expiringThreshold

    The credential expiration threshold inside the component. Default: 15m.

    notifyEmail

    No configuration needed.

Step 2: Pull images

After installing and configuring the password-free component, specify a ServiceAccount already associated with the component when creating your workload to enable password-free image pulls.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a ServiceAccount already associated with the password-free component
      containers:
      - name: nginx
        image: "******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest" # Specify the ACR image address
        ports:
        - containerPort: 80

Use the self-managed password-free component

Step 1: Install the component

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

  3. On the Add-ons page, click the Security tab. Find aliyun-acr-credential-helper and click Install.

  4. On the Parameters page, select a permission mode using tokenMode, then click OK. After installation, complete the component configuration as described in Step 2: Update component configuration (add ACR instances) before pulling images.

    tokenMode

    Description

    auto

    (Recommended) The component detects your cluster creation date and automatically selects a permission mode. Clusters created before April 3, 2023, use workerRole mode. Clusters created on or after April 3, 2023, use managedRole mode.

    Important

    Starting April 3, 2023, the aliyun-acr-credential-helper component includes a setting to customize the RAM role it depends on. For details, see [Product update] Announcement on changing permissions required by aliyun-acr-credential-helper.

    managedRole

    The component uses the AliyunCSManagedAcrRole granted in the Prerequisites section.

    workerRole

    The component uses the Worker RAM role of your cluster. You must grant specific permissions to this role.

    Select workerRole mode

    If you choose workerRole mode, your cluster's Worker RAM role must have the following permissions. For instructions, see Manage permissions for RAM roles.

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cr:GetAuthorizationToken",
                "cr:ListInstanceEndpoint",
                "cr:PullRepository"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
    Important

    Choose this mode to pull images across accounts using role assumption.

Step 2: Update component configuration (add ACR instances)

After installing the password-free component, configure the acr-configuration ConfigMap via the console or kubectl to add your ACR instances before pulling images.

Console

  1. On the Clusters page, click the name of your cluster. In the left navigation pane, click Configurations > ConfigMaps.

  2. On the ConfigMaps page, select kube-system from the Namespace drop-down list at the top. Click the acr-configuration ConfigMap and update it based on the following instructions.

    Component setting

    Description

    watch-namespace

    The namespaces where you want password-free image pulls. Default: default. Use all to enable password-free pulls in all namespaces. Separate multiple namespaces with commas (,). We recommend configuring only your business namespaces and avoiding all or system namespaces to prevent interference with system component image pulls.

    acr-api-version

    Keep the default value.

    expiring-threshold

    The credential expiration threshold inside the component. Default: 15m (15 minutes).

    acr-registry-info

    An array of container registry instance information in YAML multiline string format. Each instance is configured as a trituple.

    • instanceId: The ACR instance ID. You can find it in the Container Registry console.

      Important

      Leave blank for ACR Personal instances. Required for ACR Enterprise instances.

    • regionId: The region ID of your ACR instance. You can find it in the Container Registry console.

      Important

      Required for cross-region image pulls. See the configuration example below.

    • domains: The domain names the password-free plug-in uses to access your ACR instance. By default, all domains of the ACR instance specified in instanceId are included. To specify particular domains, separate them with commas (,).

    Cross-region pull configuration example

    When using ACR instances in multiple regions, specify the ID and region for each instance.

    data:
    service-account: "default"
    watch-namespace: "all"
    expiring-threshold: "15m"
    notify-email: "c*@aliyuncs.com"
    acr-registry-info: |
      - instanceId: "cri-instanceId"
        regionId: "cn-beijing"
      - instanceId: "cri-instanceId"
        regionId: "cn-hangzhou"

    service-account

    The ServiceAccounts associated with the password-free component. Separate multiple ServiceAccounts with commas (,). When set to default, the component associates with the default ServiceAccount in each namespace specified in watch-namespace. When set to “*”, the component associates with all ServiceAccounts in the specified namespaces.

12

kubectl

  1. Run the following command and update acr-configuration based on the instructions below.

    kubectl edit cm acr-configuration -n kube-system

    Key

    Configuration Item Key Description

    configuration item value

    service-account

    Apply the password-free component to specified service accounts.

    Default: default.

    Note

    To specify multiple service accounts, separate them with commas (,). If set to “*”, the component supports all ServiceAccounts in the specified namespaces.

    acr-registry-info

    An array of container registry instance information in YAML multiline string format. Each instance is configured as a trituple.

    Note

    Trituple fields:

    • instanceId: Instance ID. Required for Enterprise instances.

    • regionId: Optional. Defaults to the local region.

    • domains: Optional. Defaults to all domains of the instance. To specify particular domains, separate them with commas (,).

    Example configuration for an Enterprise container registry instance:

    - instanceId: <cri-instanceId>
  regionId: "cn-hangzhou"
  domains: "xxx.com,yyy.com"

    watch-namespace

    The namespaces where you want password-free image pulls.

    Default: default. Use all to enable password-free pulls in all namespaces. Separate multiple namespaces with commas (,).

    Note

    We recommend configuring only your business namespaces and avoiding all or system namespaces to prevent interference with system component image pulls.

    expiring-threshold

    The expiration threshold for locally cached credentials.

    Default: 15m (15 minutes).

Step 3: Pull images

After installing and configuring the password-free component, specify a ServiceAccount already associated with the component when creating your workload to enable password-free image pulls.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a ServiceAccount already associated with the password-free component
      containers:
      - name: nginx
        image: "******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest" # Specify the ACR image address
        ports:
        - containerPort: 80

FAQ

How do I enable immediate use of newly created ServiceAccounts?

Important

You must upgrade the password-free component to version v23.02.06.1-74e2172-aliyun or later to enable this feature.

When enabled, the password-free component uses a webhook to monitor ServiceAccount changes in your cluster. When a new ServiceAccount is created, the component immediately injects a password-free Secret into it. This feature is useful when a ServiceAccount must be ready for immediate use—for example, when deploying a Helm chart that creates both a ServiceAccount and a Deployment simultaneously. Because this feature affects component performance, we do not recommend enabling it in other scenarios.

Managed component

Install the acr-credential-helper-webhook component in your cluster:

  1. On the ACK Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

  2. On the Add-ons page, click the Security tab. Find the acr-credential-helper-webhook (managed) card and click Install.

Self-managed component

To enable this feature, add the following fields to your acr-configuration:

data:
  webhook-configuration: |
    enable: true
    failure-policy: Ignore
    timeout-seconds: 10

Setting

Description

enable

Whether to enable the webhook feature.

  • true: Enable.

  • false: Disable.

failure-policy

The policy for handling ServiceAccount creation when the feature encounters an error.

  • Ignore: Ignore the error and complete ServiceAccount creation (but the Secret for image pulls might not be attached).

  • Fail: Abort ServiceAccount creation on error (not recommended, as it may cause deployment failures).

Important

Due to limitations of your cluster’s API Server, if you set timeout-seconds to 15 and failure-policy to Fail, creating 10 ServiceAccounts per second continuously may result in failures.

timeout-seconds

The timeout duration (in seconds) for processing a single ServiceAccount creation request. If exceeded, the component responds according to the failure-policy setting. Default: 10 seconds.

Why do image pulls still fail after configuring the password-free component?

A possible cause is incorrect component configuration, such as:

  • The instance information in the password-free component does not match your ACR instance.

  • The image address used for pulling does not match the domain name in the component’s instance configuration.

Follow the steps in this topic to troubleshoot.

If the component configuration is correct but pulls still fail, your workload YAML might contain a manually specified imagePullSecrets field that conflicts with the password-free component. Delete the imagePullSecrets field and recreate the pod to resolve the issue.

How do I use imagePullSecrets?

ACR Personal instances created on or after September 9, 2024, do not support the password-free component. For these instances, we recommend storing your username and logon password in a Secret and referencing it in the imagePullSecrets field.

Important

  • The password-free component cannot be used together with a manually specified imagePullSecrets field.

  • The Secret must be in the same namespace as your workload.

Example using imagePullSecrets

Run the following command, replacing the parameters, to create a Secret with your username and password.

kubectl create secret docker-registry image-secret-1 \
  --docker-server=<registry-server> \
  --docker-username=<name> \
  --docker-password=<password> \
  --docker-email=<email>

Use the Secret in your workload

apiVersion: apps/v1
kind: Deployment 
metadata:
  name: nginx-test
  namespace: default 
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx 
    spec:
      imagePullSecrets:
      - name: image-secret-1  # Use the Secret created in the previous step
      containers:
      - name: nginx 
        image: <acrID>.cr.aliyuncs.com/<repo>/nginx:latest  # Replace with your ACR URL

References

Previous:Manage imagesNext:Pull images across accounts