Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Amazon ECRをAWSの外から使う / Docker Meetup Kansai #5 AmazonECR
sasaki
November 22, 2019
Technology
0
56
Amazon ECRをAWSの外から使う / Docker Meetup Kansai #5 AmazonECR
sasaki
November 22, 2019
Tweet
Share
More Decks by sasaki
See All by sasaki
taishin
1
79
taishin
1
53
taishin
0
47
taishin
2
370
taishin
2
540
taishin
0
430
taishin
1
360
Other Decks in Technology
See All in Technology
clustervr
0
100
kanaugust
PRO
0
230
line_developers
PRO
0
2k
ocise
1
950
hecateball
1
12k
cygames
1
370
soachr
1
150
saoritakita
0
350
yosshi_
3
290
sasakendayo
2
410
yuyaabo
0
270
torisoup
0
290
Featured
See All Featured
ddemaree
274
31k
destraynor
146
19k
tmm1
61
8.4k
danielanewman
1
470
samanthasiow
56
6.3k
tanoku
86
8.5k
addyosmani
310
21k
maggiecrowley
8
400
reverentgeek
27
1.9k
productmarketing
5
650
smashingmag
283
47k
moore
125
21k
Transcript
%PDLFS.FFUVQ,BOTBJ "NB[PO&$3Λ"84ͷ֎͔Β͏ ࠤʑਅ
8IP Shinya Sasaki Head of Infrastructure Engineering at AlpacaJapan Co.,
Ltd. Osaka, Japan
"NB[PO&MBTUJD$POUBJOFS3FHJTUSZ "NB[PO&$3 w "84͕ఏڙ͢ΔϓϥΠϕʔτίϯςφϨδετϦ w
&$3ྉۚ w ετϨʔδ w 64%(# w σʔλసૹ *O w
ແྉ w σʔλసૹ 0VU w ˠ w ಉҰϦʔδϣϯͷ&$ͱͷσʔλసૹແྉ ౦ژϦʔδϣϯɺݱࡏ https://aws.amazon.com/jp/ecr/pricing/
ࢀߟ %PDLFS)VCͷྉۚ ݱࡏ https://hub.docker.com/pricing
ࢀߟ %PDLFSVCͷྉۚ https://aws.amazon.com/jp/about-aws/whats-new/2019/10/announcing-image-scanning-for-amazon-ecr/
Ұൠతͳ
ύϒϦοΫϨδετϦ͔Βͷ1VMM Public Repository docker pull (Image) Download
ϓϥΠϕʔτϨδετϦ͔Βͷ1VMM Private Repository docker pull (Image) Download docker login -u
(User) -p (Pass) (URL) Login Succeeded
"NB[PO&$3͔Βͷ1VMM
"84αʔϏε͔Β&$3Πϝʔδͷ1VMM ECR AWS Account docker pull (Image) Download EKS ECS
IAM Role IAM Role ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ
"84αʔϏε͔Βͷ1VMM ΫϩεΞΧϯτ ECR AWS Account A docker pull (Image) Download
EKS ECS IAM Role IAM Role ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ AWS Account B ผΞΧϯτΛڐՄ͢ΔϙϦγʔ
"84֎͔Βͷ&$3Πϝʔδͷ1VMM ECR AWS Account GetAuthorizationToken (aws ecr get-login) Token docker
login -u AWS -p (Token) (ECR URL) Login Succeeded docker pull (Image) Download ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ
"84֎ͷLT͔Βͷ1VMM ECR AWS Account aws ecr get-login Other k8s cluster
"NB[PO&$3%PDLFS$SFEFOUJBM)FMQFS w BXTFDSHFUMPHJO͕ෆཁʹͳΔ w EPDLFSͷDSFEFOUJBMIFMQFSΛ͏ w શϊʔυʹΫϨσϯγϟϧΛஔ͘ʁ https://github.com/awslabs/amazon-ecr-credential-helper
*NBHF1VMM4FDSFUTΛ͍͍͑Β͍͠ kubectl create secret docker-registry <name> \ --docker-server=DOCKER_REGISTRY_SERVER \ --docker-username=DOCKER_USER
\ --docker-password=DOCKER_PASSWORD \ --docker-email=DOCKER_EMAIL
https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/ECR_AWSCLI.html This command provides an authorization token that is valid
for the specified registry for 12 hours.
https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c
https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c aws ecr get-login ͯ͠ɺ imagePullSecret Λ࡞Γ͢jobΛ ͓͖̒࣌ؒʹ࣮ߦ(cronjob)ͤ͞Δ
https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c - /bin/sh - -c - |- ACCOUNT=1234567890 REGION=my-region-1 SECRET_NAME=${REGION}-ecr-registry
EMAIL=anymail.doesnt.matter@email.com TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6` kubectl delete secret --ignore-not-found $SECRET_NAME kubectl create secret docker-registry $SECRET_NAME \ --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \ --docker-username=AWS \ --docker-password="${TOKEN}" \ --docker-email="${EMAIL}" echo "Secret created by name. $SECRET_NAME" kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}'
·ͱΊ w &$3ʹϩάΠϯ͢ΔͨΊʹ5PLFOͷऔಘ͕ඞཁ w 5PLFOͷ༗ޮظݶ࣌ؒͳͷͰ"84Ҏ֎ͷLT͔Β͏ ߹ߋ৽͢ΔΈ͕ඞཁ w ͬͱ͍͍ํ๏͕͋Εڭ͑ͯԼ͍͞
5IBOLZPV