INT 21h

Hi, I am Vladimir Smagin, SysAdmin and

Kaptain. Telegram Email / GIT / RSS / GPG

Secure container registry in microk8s

№ 11332 В разделе Sysadmin от August 27th, 2021,
В подшивках: Docker, Kubernetes

Microk8s includes docker registry feature but absolutely not secure, just for local developers use.

So remove old service “registry” (NodePort) and create new one:

apiVersion: v1
kind: Service
metadata:
  name: registry-external
  namespace: container-registry
  labels:
    app: registry
spec:
  ports:
  - port: 5000
    name: registry
    protocol: TCP
    targetPort: registry
  selector:
    app: registry
  type: ClusterIP

New service points to the same place but not opens port 32000.

Now create secret, do not change filename, its important:

htpasswd -bc auth kubernetes PruedAtshyohuciabIdcav
kubectl create secret generic basic-auth --from-file=auth --dry-run -o yaml

Good! Add new secret to your kube.

apiVersion: v1
data:
  auth: a3ViZXJuZXRlczokYXByMSRHQXNKamVGbiRzWFNDSVNxOGwuYVlwTkhTajlpQ2EuCg==
kind: Secret
metadata:
  creationTimestamp: null
  name: basic-auth

And now create ingress resource with basic auth pointed to new secret

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-http01
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  name: registry
  namespace: container-registry
spec:
  rules:
  - host: registry.k8s.huy.net
    http:
      paths:
      - backend:
          serviceName: registry-external
          servicePort: registry
        path: /
  tls:
  - hosts:
    - registry.k8s.huy.net
    secretName: tls-registry-k8s-huy-net

You did it!

Нет комментариев »