Docker pictures are normally saved on Docker Hub, however AWS’s Elastic Container Registry may also be used. It’s an important answer and this submit teaches you the way to push Docker pictures to AWS’ Elastic Container Registry (ECR).
Create a Repository
Let’s begin by utilizing the aws-cli
to create a repository.
aws ecr create-repository --repository-name myname
This command efficiently creates a repository and outputs the next JSON:
{
"repository": {
"repositoryArn": "arn:aws:ecr:eu-west-1:098765432123:repository/myname",
"registryId": "098765432123",
"repositoryName": "myname",
"repositoryUri": "098765432123.dkr.ecr.eu-west-1.amazonaws.com/myname",
"createdAt": 1543162198.0
}
}
It’s good to additionally level out that moreover, working a life-cycle coverage to wash up older variations will save your self a ton of time down the road. You may run it right here as follows. It’s helpful so that you just don’t get blocked from pushing a brand new model in a bit.
aws ecr put-lifecycle-policy --registry-id 098765432123 --repository-name myname --lifecycle-policy-text '{"guidelines":[{"rulePriority":10,"description":"Expire older images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":100},"action":{"type":"expire"}}]}'
There are numerous different methods to wash up, resembling by age. For now, although, we are going to clear up as soon as there are 100 pictures within the repo.
Pushing and Pulling Photographs Domestically
Begin by authenticating your native Docker daemon in opposition to the ECR registry.
aws ecr get-login --registry-ids 098765432123 --no-include-email
This outputs a docker login and provides a brand new user-password pair for the Docker configuration. Copy-paste it, or run it like this as a substitute:
$(aws ecr get-login --registry-ids 098765432123 --no-include-email)
Now pushing and pulling pictures is identical as what’s normally performed with Docker itself.
docker push 098765432123.dkr.ecr.eu-west-1.amazonaws.com/myname:0.0.1
docker pull 098765432123.dkr.ecr.eu-west-1.amazonaws.com/myname:0.0.1
Privileges required for Pushing Photographs
As ECR is inside AWS, you employ IAM customers’ permissions to get the job performed. It’s all the time really helpful to solely give the permissions required to attain a specific job and nothing extra.
There are three insurance policies that may very well be used for this:
AmazonEC2ContainerRegistryFullAccess
AmazonEC2ContainerRegistryPowerUser
AmazonEC2ContainerRegistryReadOnly
You may connect these insurance policies to an IAM person like this:
aws iam attach-user-policy --policy-arn arn:aws:iam::aws:coverage/AmazonEC2ContainerRegistryReadOnly --user-name andrewodendaal
You too can create your individual insurance policies, say for a CI/CD person to carry out builds.
Begin by creating an IAM group:
aws iam create-group --group-name myname-developers
{
"Group": {
"Path": "/",
"GroupName": "myname-developers",
"GroupId": "BBB4JRDMJSHFNJSNF3ARET8KJ",
"Arn": "arn:aws:iam::098765432123:group/myname-developers",
"CreateDate": "2018-10-25T11:45:42Z"
}
}
Now add a person:
aws iam add-user-to-group --group-name myname-developers --user-name andrewodendaal
That is what will probably be output:
{
"Model": "2012-10-17",
"Assertion": [{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Useful resource": "arn:aws:ecr:eu-west-1:098765432123:repository/myname"
}]
}
To create the coverage, construct out the next JSON and run a create-policy
with it:
aws iam create-policy --policy-name EcrPushPullMynameDevelopers --policy-document file://./coverage.json
{
"Coverage": {
"PolicyName": "EcrPushPullMynameDevelopers",
"PolicyId": "ANPAITNBFTFWZMI4WFOY6",
"Arn": "arn:aws:iam::098765432123:coverage/EcrPushPullMynameDevelopers",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2018-10-25T12:00:15Z",
"UpdateDate": "2018-10-25T12:00:15Z"
}
}
Then lastly connect it:
aws iam attach-group-policy --group-name myname-developers --policy-arn arn:aws:iam::098765432123:coverage/EcrPushPullMynameDevelopers
Use ECR pictures in Kubernetes
After we hooked up the IAM coverage AmazonEC2ContainerRegistryReadOnly
, it made each picture out there to each AWS account within the cluster.
To make use of it correctly although, it is best to set the picture
discipline of the pod template in your manifest to level to it:
picture: 098765432123.dkr.ecr.eu-west-1.amazonaws.com/myname:0.0.1.
Tagging pictures
All Docker pictures push to a registry must be recognized by a tag. This must be any alphanumeric worth.
It’s all the time good observe so as to add semantic versioning
into tags.
MAJOR
.MINOR
.PATCH
, resembling 1.0.2
.