So you've got your shiny new Kubernetes cluster up-and-running. You've tried running the standard nginx image and now you'd like to build and run your own image. But how are you going to get your image on the cluster?
You're going to need to push your image to a registry that is accessible to Kubernetes. The obvious option is to use the Docker Hub, but what if you want to keep your image private? Or you don't want to be waiting ages on downloads over the internet? Maybe you can use the registry associated with your cloud provider, but will you get charged for that?
The right question is actually, why do you need an external registry at all -- can't you just push images into Kubernetes directly?
The answer: run a registry inside the Kubernetes cluster itself. This way there's no need to worry about hidden costs or pushing to external resources. You can use the default Docker registry for this purpose, but to do this securely requires setting up TLS certificates and manual twiddling. A simpler option is to install the Trow registry via its install script, which will also take care of configuring TLS correctly.
If you have kubectl running and pointing at your Kubernetes cluster, all you need to do is:
$ git clone https://github.com/ContainerSolutions/trow.git
$ cd trow
$ ./install.sh
... (answer y to all the prompts)
(You may also need to extend your users privileges by running kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=username)
The script has set up the domain `trow.kube-public` to point at your cluster. We can now tag and push our local image:
$ docker tag myimage trow.kube-public:31000/myimage:mytag
$ docker push trow.kube-public:31000/myimage:mytag
...
And finally run it inside Kubernetes:
$ kubectl run trow-test --image=trow.kube-public:31000/myimage:mytag
deployment.apps "trow-test" created
$ kubectl get deploy trow-test
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
trow-test 1 1 1 1 8s
Problem solved! We've got our image up and running in a few moments without any external services or extra cost.
But wait, it gets better. Trow is much more than a quick way to get a registry running. It's designed to be an image management solution. One of the other things Trow does is control what images are allowed to run in the cluster. If you said "yes" to the validation step in the start-up script, Trow will only allow images stored inside Trow and the official Kubernetes images to run. For example, if we try to run a Docker Hub image:
kubectl run proxy --image=nginx
deployment.apps "proxy" created
$ kubectl get deployment proxy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
proxy 1 0 0 0 13s
$ kubectl describe rs proxy
...
Warning FailedCreate 16s (x13 over 57s) replicaset-controller
Error creating: admission webhook "validator.trow.io" denied
the request: Remote image docker.io/nginx disallowed as not contained
in this registry and not in allow list Trow allows full control over what images and registries can be used to download
images by using allow and block lists.
You can also see all of this in a single screencast:
At the moment Trow is alpha software, but future plans include:
- Advanced distibution of images to improve rollout speed
- Full audit logs
- Support for immutable tags and other image controls
- Advanced search and cataloguing options
- Integration with authn & authzn solutions
- Integration with vulnerability scanners
If you've found Trow useful and would like to help shape its future direction, please get in touch!
Previous article
