Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / Kubernetes Gathering (Feb, 2015) / 20 Mar 2015
Kubernetes / Kubernetes Gathering (Feb, 2015) / 20 Mar 2015
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Google Container Registry - Jeffrey Van Gogh

Description

Recorded on Feburary 25th, 2015 at the Kubernetes Gathering in San Francisco, CA, USA

A

Most of the demos today were about running things in kubernetes, most demos were using images from the public docker hub, which was great, but once you start developing your real applications, you don't want a public image on docker hub right. You want to have your private image with your private ip secured.

A

Now there's a couple options: you can run your own registry or you can pay docker or other companies like quay for hosting it.

A

Of course, when you do that, you're relying on their service on their cloud provider of choice, and so we think with google, with that the whole plan of having google be the best place to run these things.

A

We can do better, and so we launched this thing called google container registry last month in beta, and it is a google hosted service, that's using the same infrastructure as gmail and search and youtube to provide you a highly reliable, high throughput service to host your docker images, and what we do is once you upload your docker images to our registry.

A

We store them in your google cloud storage, so they're in your project, they're in your visibility, um they're using the google cloud security model, so oauth and different scopes using raw models, and so we think we give you a much more secure, reliable service. So I'm going to demo how you could use this. So I have this small application here. It's just a hello web server written in, go that I've built and I'm going to do a docker build.

A

So the thing that you notice here that when I name this image, I prefix it with gcr.io, that's the endpoint of our registry.

A

We made it as short as possible because let me know that you're going to type this frequently um so same thing as if you were doing a normal docker build um the thing that I'm going to do slightly different than normal. Is I'm going to type when I'm doing a docker push? I'm start instead of doing just a raw docker push I'm going to do a gcloud preview, docker push, and the reason I do this is that, as I said, we use oauth for authentication.

A

We don't want to use basic, username and password because we don't want this username and passwords on your production machines.

A

So what this does? It takes an access token. It puts it in your docker config and then it passes through to docker as normal.

A

So this is uploading my image to google container registry and bear with me I'm the wi-fi is obviously in use for a lot of people right now.

A

Okay, so it uploaded my image and if I now go to my google cloud console and I look at the storage browser- and I do a refresh.

A

You see that we created this magic bucket called artifacts and then your project name asphalt.com. This is where we uploaded all your containers and it's fully under your control. You can take it out. You can delete it like after this upload, google doesn't have access to it. It's actually encrypted in google cloud storage and the only one who has access is people on your project.

A

So now it's uploaded this in google cloud and I want to use it with. Let's say: kubernetes, um I'm lazy. I don't want to set up goblin clusters myself, so I used google container engine and so I'm going to show you. I already spun up this container engine. It's running here.

A

It's a very small cluster. I only added one node, but the thing I wanted to point out here is that if you look at what permissions this cluster has for storage, it only has read-only access, and so that means that, even if somebody were to accidentally or like hack into my production service, they only have access to my registry in read-only mode. So they cannot mess up my images that I have stored.

A

um Okay, so let's deploy this application to that cluster. um So if I look in my.

A

My json config for the pod you'll see that I do the same thing I prefix gcr.io and rest is just the same as if I were pulling from the public docker hub. So let's create this, and because I'm using the the hosted version container engine and I haven't- switched to config coupe control either. Yet I use the gcode preview command to start this container. It warns me that it's deprecated.

A

Okay, so now it's spun up and I can actually go to the endpoint. I can see that it's running um as you notice, I didn't put any username or password for accessing my private registry. um The way that it works is we actually contributed code to the open source kubernetes that will interact with google's oauth authentication provider.

A

It gets an access token from the metadata server and uses that to authenticate, um and so, if I, even if I log into my kubernetes cluster and wire, to try to do a docker push, it would give me it would deny me access, and so we think this will give a much more secure environment for hosting your images.

A

So the google container registry is currently in beta. We only charge you for the raw, gcs storage cost and networking egress cost. So that means that, if you're running on google cloud, downloading images is free, you're only paying for the storage on the google cloud, storage, we're working on management, apis ui and we hope to be a general availability later this year and that's all I had thank you.