►
From YouTube: Google Container Registry - Jeffrey Van Gogh
Description
Recorded on Feburary 25th, 2015 at the Kubernetes Gathering in San Francisco, CA, USA
A
Most
of
the
demos
today
were
about
running
things
in
kubernetes,
most
demos
were
using
images
from
the
public
docker
hub,
which
was
great,
but
once
you
start
developing
your
real
applications,
you
don't
want
a
public
image
on
docker
hub
right.
You
want
to
have
your
private
image
with
your
private
ip
secured.
A
We
store
them
in
your
google
cloud
storage,
so
they're
in
your
project,
they're
in
your
visibility,
they're
using
the
google
cloud
security
model,
so
oauth
and
different
scopes
using
raw
models,
and
so
we
think
we
give
you
a
much
more
secure,
reliable
service.
So
I'm
going
to
demo
how
you
could
use
this.
So
I
have
this
small
application
here.
It's
just
a
hello
web
server
written
in,
go
that
I've
built
and
I'm
going
to
do
a
docker
build.
A
We
made
it
as
short
as
possible
because
let
me
know
that
you're
going
to
type
this
frequently
so
same
thing
as
if
you
were
doing
a
normal
docker
build
the
thing
that
I'm
going
to
do
slightly
different
than
normal.
Is
I'm
going
to
type
when
I'm
doing
a
docker
push?
I'm
start
instead
of
doing
just
a
raw
docker
push
I'm
going
to
do
a
gcloud
preview,
docker
push,
and
the
reason
I
do
this
is
that,
as
I
said,
we
use
oauth
for
authentication.
A
A
You
see
that
we
created
this
magic
bucket
called
artifacts
and
then
your
project
name
asphalt.com.
This
is
where
we
uploaded
all
your
containers
and
it's
fully
under
your
control.
You
can
take
it
out.
You
can
delete
it
like
after
this
upload,
google
doesn't
have
access
to
it.
It's
actually
encrypted
in
google
cloud
storage
and
the
only
one
who
has
access
is
people
on
your
project.
A
A
It's
a
very
small
cluster.
I
only
added
one
node,
but
the
thing
I
wanted
to
point
out
here
is
that
if
you
look
at
what
permissions
this
cluster
has
for
storage,
it
only
has
read-only
access,
and
so
that
means
that,
even
if
somebody
were
to
accidentally
or
like
hack
into
my
production
service,
they
only
have
access
to
my
registry
in
read-only
mode.
So
they
cannot
mess
up
my
images
that
I
have
stored.
A
My
json
config
for
the
pod
you'll
see
that
I
do
the
same
thing
I
prefix
gcr.io
and
rest
is
just
the
same
as
if
I
were
pulling
from
the
public
docker
hub.
So
let's
create
this,
and
because
I'm
using
the
the
hosted
version
container
engine
and
I
haven't-
switched
to
config
coupe
control
either.
Yet
I
use
the
gcode
preview
command
to
start
this
container.
It
warns
me
that
it's
deprecated.
A
Okay,
so
now
it's
spun
up
and
I
can
actually
go
to
the
endpoint.
I
can
see
that
it's
running
as
you
notice,
I
didn't
put
any
username
or
password
for
accessing
my
private
registry.
The
way
that
it
works
is
we
actually
contributed
code
to
the
open
source
kubernetes
that
will
interact
with
google's
oauth
authentication
provider.
A
It
gets
an
access
token
from
the
metadata
server
and
uses
that
to
authenticate,
and
so,
if
I,
even
if
I
log
into
my
kubernetes
cluster
and
wire,
to
try
to
do
a
docker
push,
it
would
give
me
it
would
deny
me
access,
and
so
we
think
this
will
give
a
much
more
secure
environment
for
hosting
your
images.
A
So
the
google
container
registry
is
currently
in
beta.
We
only
charge
you
for
the
raw,
gcs
storage
cost
and
networking
egress
cost.
So
that
means
that,
if
you're
running
on
google
cloud,
downloading
images
is
free,
you're
only
paying
for
the
storage
on
the
google
cloud,
storage,
we're
working
on
management,
apis
ui
and
we
hope
to
be
a
general
availability
later
this
year
and
that's
all
I
had
thank
you.