Amazon ECRをAWSの外から使う / Docker Meetup Kansai #5 AmazonECR

Slide 1

Slide 1 text

%PDLFS.FFUVQ,BOTBJ "NB[PO&$3Λ"84ͷ֎͔Β࢖͏ ࠤʑ໦ਅ໵

Slide 2

Slide 2 text

8IP Shinya Sasaki Head of Infrastructure Engineering at AlpacaJapan Co., Ltd. Osaka, Japan

Slide 3

Slide 3 text

"NB[PO&MBTUJD$POUBJOFS3FHJTUSZ "NB[PO&$3 w "84͕ఏڙ͢ΔϓϥΠϕʔτίϯςφϨδετϦ w

Slide 4

Slide 4 text

&$3ྉۚ w ετϨʔδ w 64%(# w σʔλసૹ *O w ແྉ w σʔλసૹ 0VU w ˠ w ಉҰϦʔδϣϯ಺ͷ&$ͱͷσʔλసૹ͸ແྉ ౦ژϦʔδϣϯɺݱࡏ https://aws.amazon.com/jp/ecr/pricing/

Slide 5

Slide 5 text

ࢀߟ %PDLFS)VCͷྉۚ ݱࡏ https://hub.docker.com/pricing

Slide 6

Slide 6 text

ࢀߟ %PDLFSVCͷྉۚ https://aws.amazon.com/jp/about-aws/whats-new/2019/10/announcing-image-scanning-for-amazon-ecr/

Slide 7

Slide 7 text

Ұൠతͳ࿩

Slide 8

Slide 8 text

ύϒϦοΫϨδετϦ͔Βͷ1VMM Public Repository docker pull (Image) Download

Slide 9

Slide 9 text

ϓϥΠϕʔτϨδετϦ͔Βͷ1VMM Private Repository docker pull (Image) Download docker login -u (User) -p (Pass) (URL) Login Succeeded

Slide 10

Slide 10 text

"NB[PO&$3͔Βͷ1VMM

Slide 11

Slide 11 text

"84αʔϏε͔Β&$3Πϝʔδͷ1VMM ECR AWS Account docker pull (Image) Download EKS ECS IAM Role IAM Role ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ

Slide 12

Slide 12 text

"84αʔϏε͔Βͷ1VMM ΫϩεΞΧ΢ϯτ ECR AWS Account A docker pull (Image) Download EKS ECS IAM Role IAM Role ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ AWS Account B ผΞΧ΢ϯτΛڐՄ͢ΔϙϦγʔ

Slide 13

Slide 13 text

"84֎͔Βͷ&$3Πϝʔδͷ1VMM ECR AWS Account GetAuthorizationToken (aws ecr get-login) Token docker login -u AWS -p (Token) (ECR URL) Login Succeeded docker pull (Image) Download ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ

Slide 14

Slide 14 text

"84֎ͷLT͔Βͷ1VMM ECR AWS Account aws ecr get-login Other k8s cluster

Slide 15

Slide 15 text

"NB[PO&$3%PDLFS$SFEFOUJBM)FMQFS w BXTFDSHFUMPHJO͕ෆཁʹͳΔ w EPDLFSͷDSFEFOUJBMIFMQFSΛ࢖͏ w શϊʔυʹΫϨσϯγϟϧΛஔ͘ʁ https://github.com/awslabs/amazon-ecr-credential-helper

Slide 16

Slide 16 text

*NBHF1VMM4FDSFUTΛ࢖͑͹͍͍Β͍͠ kubectl create secret docker-registry \ --docker-server=DOCKER_REGISTRY_SERVER \ --docker-username=DOCKER_USER \ --docker-password=DOCKER_PASSWORD \ --docker-email=DOCKER_EMAIL

Slide 17

Slide 17 text

https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/ECR_AWSCLI.html This command provides an authorization token that is valid for the specified registry for 12 hours.

Slide 18

Slide 18 text

https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c

Slide 19

Slide 19 text

https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c aws ecr get-login ͯ͠ɺ imagePullSecret Λ࡞Γ௚͢jobΛ ͓͖̒࣌ؒʹ࣮ߦ(cronjob)ͤ͞Δ

Slide 20

Slide 20 text

https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c - /bin/sh - -c - |- ACCOUNT=1234567890 REGION=my-region-1 SECRET_NAME=${REGION}-ecr-registry [email protected] TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6` kubectl delete secret --ignore-not-found $SECRET_NAME kubectl create secret docker-registry $SECRET_NAME \ --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \ --docker-username=AWS \ --docker-password="${TOKEN}" \ --docker-email="${EMAIL}" echo "Secret created by name. $SECRET_NAME" kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}'

Slide 21

Slide 21 text

·ͱΊ w &$3ʹϩάΠϯ͢ΔͨΊʹ͸5PLFOͷऔಘ͕ඞཁ w 5PLFOͷ༗ޮظݶ͸࣌ؒͳͷͰ"84Ҏ֎ͷLT͔Β࢖͏ ৔߹͸ߋ৽͢Δ࢓૊Έ͕ඞཁ w ΋ͬͱ͍͍ํ๏͕͋Ε͹ڭ͑ͯԼ͍͞

Slide 22

Slide 22 text

5IBOLZPV