Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon ECRをAWSの外から使う / Docker Meetup Kansai #5 AmazonECR

sasaki
November 22, 2019

Amazon ECRをAWSの外から使う / Docker Meetup Kansai #5 AmazonECR

sasaki

November 22, 2019
Tweet

More Decks by sasaki

Other Decks in Technology

Transcript

  1. %PDLFS.FFUVQ,BOTBJ

    "NB[PO&$3Λ"84ͷ֎͔Β࢖͏

    ࠤʑ໦ਅ໵

    View Slide

  2. 8IP
    Shinya Sasaki
    Head of Infrastructure Engineering
    at AlpacaJapan Co., Ltd.
    Osaka, Japan

    View Slide

  3. "NB[PO&MBTUJD$POUBJOFS3FHJTUSZ
    "NB[PO&$3

    w "84͕ఏڙ͢ΔϓϥΠϕʔτίϯςφϨδετϦ
    w

    View Slide

  4. &$3ྉۚ
    w ετϨʔδ
    w 64%(#
    w σʔλసૹ *O

    w ແྉ
    w σʔλసૹ 0VU

    w ˠ
    w ಉҰϦʔδϣϯ಺ͷ&$ͱͷσʔλసૹ͸ແྉ
    ౦ژϦʔδϣϯɺݱࡏ
    https://aws.amazon.com/jp/ecr/pricing/

    View Slide

  5. ࢀߟ
    %PDLFS)VCͷྉۚ
    ݱࡏ
    https://hub.docker.com/pricing

    View Slide

  6. ࢀߟ
    %PDLFSVCͷྉۚ
    https://aws.amazon.com/jp/about-aws/whats-new/2019/10/announcing-image-scanning-for-amazon-ecr/

    View Slide

  7. Ұൠతͳ࿩

    View Slide

  8. ύϒϦοΫϨδετϦ͔Βͷ1VMM
    Public Repository
    docker pull (Image)
    Download

    View Slide

  9. ϓϥΠϕʔτϨδετϦ͔Βͷ1VMM
    Private Repository
    docker pull (Image)
    Download
    docker login -u (User) -p (Pass) (URL)
    Login Succeeded

    View Slide

  10. "NB[PO&$3͔Βͷ1VMM

    View Slide

  11. "84αʔϏε͔Β&$3Πϝʔδͷ1VMM
    ECR
    AWS Account
    docker pull (Image)
    Download
    EKS
    ECS
    IAM Role
    IAM Role
    ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ

    View Slide

  12. "84αʔϏε͔Βͷ1VMM
    ΫϩεΞΧ΢ϯτ

    ECR
    AWS Account A
    docker pull (Image)
    Download
    EKS
    ECS
    IAM Role
    IAM Role
    ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ
    AWS Account B
    ผΞΧ΢ϯτΛڐՄ͢ΔϙϦγʔ

    View Slide

  13. "84֎͔Βͷ&$3Πϝʔδͷ1VMM
    ECR
    AWS Account
    GetAuthorizationToken
    (aws ecr get-login)
    Token
    docker login -u AWS -p (Token) (ECR URL)
    Login Succeeded
    docker pull (Image)
    Download
    ECR͔ΒͷPull͕ڐՄ͞ΕͨϙϦγʔ

    View Slide

  14. "84֎ͷLT͔Βͷ1VMM
    ECR
    AWS Account
    aws ecr get-login
    Other k8s cluster

    View Slide

  15. "NB[PO&$3%PDLFS$SFEFOUJBM)FMQFS
    w BXTFDSHFUMPHJO͕ෆཁʹͳΔ
    w EPDLFSͷDSFEFOUJBMIFMQFSΛ࢖͏
    w શϊʔυʹΫϨσϯγϟϧΛஔ͘ʁ
    https://github.com/awslabs/amazon-ecr-credential-helper

    View Slide

  16. *NBHF1VMM4FDSFUTΛ࢖͑͹͍͍Β͍͠
    kubectl create secret docker-registry \
    --docker-server=DOCKER_REGISTRY_SERVER \
    --docker-username=DOCKER_USER \
    --docker-password=DOCKER_PASSWORD \
    --docker-email=DOCKER_EMAIL

    View Slide

  17. https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/ECR_AWSCLI.html
    This command provides an authorization token that
    is valid for the specified registry for 12 hours.

    View Slide

  18. https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c

    View Slide

  19. https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c
    aws ecr get-login ͯ͠ɺ
    imagePullSecret Λ࡞Γ௚͢jobΛ
    ͓͖̒࣌ؒʹ࣮ߦ(cronjob)ͤ͞Δ

    View Slide

  20. https://medium.com/@damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c
    - /bin/sh
    - -c
    - |-
    ACCOUNT=1234567890
    REGION=my-region-1
    SECRET_NAME=${REGION}-ecr-registry
    [email protected]
    TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6`
    kubectl delete secret --ignore-not-found $SECRET_NAME
    kubectl create secret docker-registry $SECRET_NAME \
    --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
    --docker-username=AWS \
    --docker-password="${TOKEN}" \
    --docker-email="${EMAIL}"
    echo "Secret created by name. $SECRET_NAME"
    kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}'

    View Slide

  21. ·ͱΊ
    w &$3ʹϩάΠϯ͢ΔͨΊʹ͸5PLFOͷऔಘ͕ඞཁ
    w 5PLFOͷ༗ޮظݶ͸࣌ؒͳͷͰ"84Ҏ֎ͷLT͔Β࢖͏
    ৔߹͸ߋ৽͢Δ࢓૊Έ͕ඞཁ
    w ΋ͬͱ͍͍ํ๏͕͋Ε͹ڭ͑ͯԼ͍͞

    View Slide

  22. 5IBOLZPV

    View Slide