- 8. Sep
Kube-registry-proxy which fixes timeout issue in kubernetes registry proxy. This docker image is configurable with the following environment variables: IP, PORT, FWDPORT.
IP is a cluster ip of kubernetes-registry service. By default PORT & FWDPORT is 5000.
Once your shiny new Kubernetes cluster is up-and-running, one of the first things you’ll want to add is a local registry for storing private images. This is typically achieved using the official Kubernetes registry addon. Unfortunately, the official addon has a few shortcomings, especially with regards to security. In this post, I’ll describe these shortcomings, how they can be addressed, and point to a tool we’ve built that can help when setting up a registry.
Private Docker Registry in Kubernetes
Kubernetes offers an optional private Docker registry addon, which you can turn
on when you bring up a cluster or install later. This gives you a place to
store truly private Docker images for your cluster.
How it works
The private registry runs as a Pod in your cluster. It does not currently
support SSL or authentication, which triggers Docker's "insecure registry"
logic. To work around this, we run a proxy on each node in the cluster,
exposing a port onto the node (via a hostPort), which Docker accepts as
"secure", since it is accessed by localhost.
Turning it on
Some cluster installs (e.g. GCE) support this as a cluster-birth flag. The
ENABLE_CLUSTER_REGISTRY variable in cluster/gce/config-default.sh governs
whether the registry is run or not. To set this flag, you can specify
KUBE_ENABLE_CLUSTER_REGISTRY=true when running kube-up.sh. If your cluster
does not include this flag, the following steps should work. Note that some of
this is cloud-provider specific, so you may have to customize it a bit.
Make some storage
The primary job of the registry is to store data. To do that we have to decide
where to store it. For cloud environments that have networked storage, we can
use Kubernetes's PersistentVolume abstraction.