DocsICP FilingConsole
官方文档
首页

Use the passwordless component to pull an image from an ACR Enterprise Edition instance in the same account

更新时间:
复制 MD 格式
产品详情
我的收藏

The passwordless component automates authentication for pulling images, eliminating the need to repeatedly configure imagePullSecrets. This topic describes how to install, configure, and use the passwordless component, and provides important notes.

How it works

When you use Container Registry (ACR) as an image source without enabling anonymous image pulling, your ACK cluster must provide a username and password to authenticate each image pull. The common solution is to store these credentials in a Secret, but this approach has several drawbacks:

  • Secrets are Base64-encoded plaintext, which poses a security risk if exposed.

  • You must manually specifyimagePullSecrets for each workload.

  • Secrets cannot be shared across namespaces.

The passwordless component works as follows:

  1. The passwordless component obtains temporary credentials from the ACR instance.

  2. The component saves the temporary credentials to a Secret.

  3. The component associates the Secret with the ServiceAccounts specified in its configuration.

  4. Workloads that use these ServiceAccounts can then automatically pull images by using the temporary credentials stored in the Secret.

The passwordless component can manage ServiceAccounts across multiple namespaces and automatically refreshes the temporary credentials on a schedule. This reduces security risks and eliminates the need to manually addimagePullSecrets to your workloads. The passwordless component is free of charge.

Component comparison

ACK provides the aliyun-acr-credential-helper component in two editions: managed and self-managed. You can install only one edition at a time. The following table compares the two editions.

Item

aliyun-acr-credential-helper (managed)

aliyun-acr-credential-helper (self-managed)

Supported cluster versions

Version 1.22 or later of ACK managed clusters, ACK serverless clusters, or ACK Edge clusters

Version 1.20 or later ACK managed clusters or ACK dedicated clusters

Features

  • No self-management required

  • Supports cross-account image pulls by using RRSA

  • Supports querying component logs

  • Supports cross-account image pulls by using a worker RAM role, RRSA, or an AccessKey pair

To upgrade a cluster, see Manually upgrade a cluster.

Prerequisites

  • Your cluster version is supported by the passwordless component. For more information, see the preceding table.

  • You have an ACR Enterprise Edition instance.

    Important

    • The passwordless component supports only ACR Enterprise Edition instances and ACR Personal Edition instances created on or before September 8, 2024. If you cannot use the passwordless component, see How do I use imagePullSecrets?.

  • Permissions are granted to the RAM role used by the passwordless component. For more information, see Grant permissions.

  • Network connectivity is established between the ACR Enterprise Edition instance and the ACK cluster.

    Configure network connectivity

    Before you pull an image, make sure that the ACR Enterprise Edition instance and the ACK cluster can communicate with each other and the required domain names can be resolved. You can use one of the following methods to pull images within the same account:

    • ACR VPC access control: If the ACR Enterprise Edition instance and the ACK cluster are in the same region, the ACK cluster can access the ACR instance over a VPC. For more information, see Configure network access control.

    • VPC peering connection: If the ACR instance and the ACK cluster are not in the same VPC, you can use a VPC peering connection to connect the two VPCs. This allows the ACK cluster to access the ACR Enterprise Edition instance. VPC peering is free of charge for VPCs in the same region, but incurs charges for VPCs in different regions. For more information, see Billing. The CIDR blocks of the two VPCs cannot overlap. If the CIDR blocks in use largely overlap, you must modify the existing network architecture.

      VPC peering connection procedure

      1. Enable private domain name resolution for the ACR instance

        After you connect the ACR Enterprise Edition instance to the VPC, you can access the instance within the VPC by using its private domain name. After the configuration, obtain the VPC ID and the private IP address of the ACR Enterprise Edition instance.

      2. Obtain the domain name and IP address of the ACR instance

        Obtain the domain name and IP address of the authentication service used to access the ACR Enterprise Edition instance, and the domain name and IP address of the associated OSS bucket.

      3. Create a VPC peering connection and configure a route table

        You must add route entries that point to the peer VPC at both ends of the VPC peering connection to enable private communication between the VPCs for the ACK cluster and the ACR Enterprise Edition instance. At the ACK cluster's end of the VPC peering connection, you must also configure route entries for the IP address of the authentication service and the IP address of the associated OSS bucket.

      4. Resolve the ACR instance domain name for the ACK cluster

        Use methods such as adding a private DNS record or using a node pool custom data script to batch modify the /etc/hosts file. This resolves the ACR instance's domain name to its private IP address, allowing the ACK cluster to forward traffic to the ACR instance's VPC through the configured route entries.

    • Internet: If both the ACR Enterprise Edition instance and the ACK cluster can access the internet, images can be transferred over the internet. For more information, see Configure public access control for an ACR instance and Enable internet access for a cluster.

Use the managed passwordless component

Step 1: Install the component

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

  3. On the Add-ons page, click the Security tab, find the aliyun-acr-credential-helper (managed) card, and then click Install.

  4. On the Install component aliyun-acr-credential-helper page, view the AcrInstanceInfo settings and other options. AcrInstanceInfo contains the settings for each ACR instance that is associated with the component. The other options are component settings. If you do not need to change the namespaces or ServiceAccounts that the component monitors, you can keep the default settings.

    After the component is installed, you can change its settings by clicking Configurations on the aliyun-acr-credential-helper (managed) card on the Add-ons page.

    ACR instance association settings:

    AcrInstanceInfo

    Description

    InstanceId

    The ID of the ACR instance. You can obtain the ID from the Container Registry console.

    Important

    Leave this field blank for ACR Personal Edition instances. This field is required for ACR Enterprise Edition instances.

    regionId

    The ID of the region where the ACR instance is deployed. You can obtain the ID from the Container Registry console.

    Important

    This parameter is required for cross-region image pulls.

    domains

    The domain names used by the passwordless component to access the ACR instance. By default, this includes all domain names (internet and VPC) of the specified ACR instance. To specify multiple domain names, separate them with commas (,).

    Settings for cross-account image pulls

    These settings apply to cross-account image pulls. If you do not need this feature, leave the fields blank.

    assumeRoleARN

    No configuration is required for same-account pulls. For cross-account pulls, see Pull images across accounts.

    expireDuration

    rrsaRoleARN

    rrsaOIDCProviderRoleARN

    Component settings

    Parameter

    Description

    Enable RRSA

    Select this checkbox to enable RRSA. No configuration is required for same-account pulls. For cross-account pulls, see Pull images across accounts.

    watchNamespace

    The namespaces where you want to enable passwordless image pulls. The default value isdefault. Set the value toall to enable this feature for all namespaces. To specify multiple namespaces, separate them with commas (,). We recommend that you specify only your business namespaces and avoid usingall or namespaces for cluster system components to prevent disruptions to system image pulls.

    serviceAccount

    Specifies the ServiceAccount to which the managed passwordless component applies. The default value is Default. A value of Default applies the component to the default ServiceAccount in the specified namespaces. If you set the value to *, the component applies to all ServiceAccounts in the specified namespace. To specify multiple ServiceAccounts, separate them with a comma (,).

    expiringThreshold

    The expiration threshold for credentials in the component. The default value is15m.

    notifyEmail

    No configuration is required.

Step 2: Pull an image

After you install and configure the passwordless component, specify a ServiceAccount associated with the component when you create a workload. This enables passwordless image pulling.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a ServiceAccount that is associated with the passwordless component.
      containers:
      - name: nginx
        image: "******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest" # Specify the ACR image address.
        ports:
        - containerPort: 80

Use the self-managed passwordless component

Step 1: Install the component

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

  3. On the Add-ons page, click the Security tab, find the aliyun-acr-credential-helper card, and then click Install.

  4. On the Parameters page, select a permission mode from the tokenMode drop-down list and click OK. After the component is installed, you need to configure it before you can pull images. For more information, see Step 2: Update the component configuration (add an ACR instance).

    tokenMode

    Description

    auto

    (Recommended) The component detects the cluster creation time and automatically chooses a permission mode. Clusters created before April 3, 2023 use the workerRole mode. Clusters created on or after April 3, 2023 use the managedRole mode.

    Important

    Versions of aliyun-acr-credential-helper released on or after April 3, 2023 provide a parameter that allows you to customize the RAM role that the component depends on. For more information, see [Product Change] Announcement on changing the permissions required by the aliyun-acr-credential-helper component.

    managedRole

    The component uses the AliyunCSManagedAcrRole role authorized in Prerequisites to obtain permissions.

    workerRole

    The component uses the cluster worker RAM role to obtain permissions. You need to grant specific permissions to the worker RAM role.

    Select workerRole as the component mode

    If you select workerRole as the component permission mode, the cluster worker RAM role must have the following permissions. For information about how to grant permissions, see Manage RAM role permissions.

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cr:GetAuthorizationToken",
                "cr:ListInstanceEndpoint",
                "cr:PullRepository"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
    Important

    Select this mode if you need to pull images across accounts by assuming a role.

Step 2: Update the component configuration

After the passwordless component is installed, you need to configure theacr-configuration ConfigMap to add an ACR instance before you can pull images. You can do this by using the console or kubectl.

Console

  1. On the Clusters page, click the name of your cluster. In the left navigation pane, click Configurations > ConfigMaps.

  2. On the ConfigMaps page, select kube-system from the Namespace drop-down list. Then, click the acr-configuration ConfigMap and modify the settings as described in the following table.

    Parameter

    Description

    watch-namespace

    The namespaces where you want to enable passwordless image pulls. The default value isdefault. Set the value toall to enable this feature for all namespaces. To specify multiple namespaces, separate them with commas (,). We recommend that you specify only your business namespaces and avoid usingall or namespaces for cluster system components to prevent disruptions to system image pulls.

    acr-api-version

    Keep the default value.

    expiring-threshold

    The expiration threshold for credentials in the component. The default value is15m (15 minutes).

    acr-registry-info

    An array of ACR instance information in multi-line YAML string format. Each instance is configured with a set of three parameters.

    • instanceId: The ID of the ACR instance. You can obtain the ID from the Container Registry console.

      Important

      Leave this field blank for ACR Personal Edition instances. This field is required for ACR Enterprise Edition instances.

    • regionId: The ID of the region where the ACR instance is deployed. You can obtain the ID from the Container Registry console.

      Important

      This parameter is required for cross-region image pulls. For an example configuration, see the section below.

    • domains: The domain names used by the passwordless component to access the ACR instance. By default, this includes all domain names of the ACR instance specified byinstanceId. To specify multiple domain names, separate them with commas (,).

    Example configuration for cross-region pulls

    When using multiple ACR instances in different regions, you must specify the ID and region for each instance.

    data:
    service-account: "default"
    watch-namespace: "all"
    expiring-threshold: "15m"
    notify-email: "c*@aliyuncs.com"
    acr-registry-info: |
      - instanceId: "cri-instanceId"
        regionId: "cn-beijing"
      - instanceId: "cri-instanceId"
        regionId: "cn-hangzhou"

    service-account

    The ServiceAccounts associated with the passwordless component. To specify multiple ServiceAccounts, separate them with commas (,). If you set the value todefault, the component associates with the default ServiceAccount in each specified namespace. If you set the value to"*", the component associates with all ServiceAccounts in the specified namespaces.

kubectl

  1. Run the following command to edit theacr-configuration ConfigMap. Refer to the following table for configuration details.

    kubectl edit cm acr-configuration -n kube-system

    Parameter key

    Description

    Value

    service-account

    The ServiceAccounts that the passwordless component targets.

    The default value isdefault.

    Note

    To specify multiple ServiceAccounts, separate them with commas (,). If you set the value to"*", it applies to all ServiceAccounts in the specified namespaces.

    acr-registry-info

    An array of ACR instance information in multi-line YAML string format. Each instance is configured with a set of three parameters.

    Note

    Instance information parameters:

    • instanceId: The ID of the instance. This is required for Enterprise Edition instances.

    • regionId: Optional. Defaults to the local region.

    • domains: Optional. Defaults to all domain names of the corresponding instance. To specify multiple domain names, separate them with commas (,).

    Example configuration for an ACR Enterprise Edition instance:

    - instanceId: <cri-instanceId>
  regionId: "cn-hangzhou"
  domains: "xxx.com,yyy.com"

    watch-namespace

    The namespaces where you want to enable passwordless image pulls.

    The default value isdefault. Set the value toall to enable this feature for all namespaces. To specify multiple namespaces, separate them with commas (,).

    Note

    We recommend that you specify only your business namespaces and avoid usingall or namespaces for cluster system components to prevent disruptions to system image pulls.

    expiring-threshold

    The expiration threshold for locally cached credentials.

    The default value is15m (15 minutes).

Step 3: Pull an image

After you install and configure the passwordless component, specify a ServiceAccount associated with the component when you create a workload. This enables passwordless image pulling.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: my-service-account # Specify a ServiceAccount that is associated with the passwordless component.
      containers:
      - name: nginx
        image: "******.cn-hangzhou.cr.aliyuncs.com/nginx/nginx:latest" # Specify the ACR image address.
        ports:
        - containerPort: 80

FAQ

Enable immediate use of ServiceAccounts

Important

This feature requires aliyun-acr-credential-helper v23.02.06.1-74e2172-aliyun or later.

When enabled, the passwordless component uses a Webhook to monitor ServiceAccount changes in the cluster. When a new ServiceAccount is created, the component immediately injects the passwordless Secret. This is useful for scenarios where a ServiceAccount is used immediately after creation, such as when a Helm Chart creates both a ServiceAccount and a Deployment simultaneously. This feature may affect component performance and is not recommended for general use.

Managed component

To enable this feature, install the acr-credential-helper-webhook component in your cluster:

  1. On the ACK Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.

  2. On the Add-ons page, click the Security tab, find the acr-credential-helper-webhook (managed) card, and then click Install.

Self-managed component

To enable this feature, add the following fields to the acr-configuration ConfigMap:

data:
  webhook-configuration: |
    enable: true
    failure-policy: Ignore
    timeout-seconds: 10

Parameter

Description

enable

Specifies whether to enable the Webhook feature.

  • true: Enables the feature.

  • false: Disables the feature.

failure-policy

The policy for handling exceptions during ServiceAccount creation.

  • Ignore: Ignores the exception and allows the ServiceAccount to be created normally. The image pulling Secret may not be attached.

  • Fail: Halts the creation of the ServiceAccount in case of an exception. This is not recommended as it may cause deployment failures.

Important

Due to a limitation of the cluster API Server, if timeout-seconds is set to 15, failure-policy is set to Fail, and you continuously create 10 ServiceAccounts per second, the creation of ServiceAccounts will fail.

timeout-seconds

The timeout period for a single ServiceAccount creation request. If the timeout is exceeded, the system responds according to thefailure-policy setting. The default value is 10 seconds (s).

Troubleshoot image pull failures

One possible cause is an incorrect passwordless component configuration, for example:

  • The instance information configured in the passwordless component does not match the ACR instance.

  • The image address used for pulling does not match the domain name specified in the component's instance information.

Follow the steps in this topic to troubleshoot the issue.

If the component is configured correctly but image pulling still fails, it may be due to a conflict between a manually specifiedimagePullSecrets field in the workload YAML and the passwordless component. To resolve this, manually remove theimagePullSecrets field and recreate the Pod.

How do I use imagePullSecrets?

ACR Personal Edition instances created on or after September 9, 2024 do not support the passwordless component. For these instances, we recommend that you store the username and password in a Secret and reference it in theimagePullSecrets field.

Important

  • The passwordless component is incompatible with a manually specifiedimagePullSecrets field.

  • The Secret must be in the same namespace as the workload.

Example of using imagePullSecrets

Run the following command and replace the parameters to create a Secret with your username and password.

kubectl create secret docker-registry image-secret-1 \
  --docker-server=<registry-server> \
  --docker-username=<name> \
  --docker-password=<password> \
  --docker-email=<email>

Use the Secret in your workload:

apiVersion: apps/v1
kind: Deployment 
metadata:
  name: nginx-test
  namespace: default 
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx 
    spec:
      imagePullSecrets:
      - name: image-secret-1  # Use the Secret created in the previous step.
      containers:
      - name: nginx 
        image: <acrID>.cr.aliyuncs.com/<repo>/nginx:latest  # Replace with the ACR image address.

Related topics

Previous:Secret-free componentsNext:Pull images across accounts