Private container registries

When you deploy a workload in Cloudfleet Kubernetes Engine (CFKE), you can pull container images from public or private container registries. This guide explains how to pull container images from private registries in CFKE.

CFKE has built-in support to pull images from AWS Elastic Container Registry or GCP Artifact Registry without using hardcoded credentials. For these services, you can authorize Cloudfleet-owned roles from GCP and AWS to pull images from your private registries.

AWS Elastic Container Registry

CFKE has all the necessary setup to assume an AWS role owned by Cloudfleet. By authorizing this role on your AWS account, you can allow CFKE to pull images from your private ECR repositories. CFKE authenticates to this role.

To authorize the provider to access the ECR repository, you need to create a policy in the ECR repository. The policy should look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ECRRepositoryPolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::CLOUDFLEET_AWS_ACCOUNT_ID:role/cfke-CLUSTER_ID"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Replace CLOUDFLEET_AWS_ACCOUNT_ID with the corresponding Cloudfleet AWS account ID based on your control plane region. The possible values are:

Control Plane RegionCloudfleet AWS Account ID
europe-central-1a902873844300
northamerica-central-1a891376988818

Replace CLUSTER_ID with the cluster ID.

GCP Artifact Registry

To authorize CFKE to access the Artifact Registry, you need to authorize the following principal in the relevant Artifact Registry repository with the artifactregistry.reader role:

principal://iam.googleapis.com/projects/89014267864/locations/global/workloadIdentityPools/cfke/subject/CLUSTER_ID

Replace CLUSTER_ID with the cluster ID.

Other private registries

For private registries other than AWS ECR or GCP Artifact Registry, you need to create an image pull secret with your registry credentials. This applies to Docker Hub, GitHub Container Registry, GitLab Container Registry, self-hosted registries, and any other registry that requires authentication. For the full guide, see the Kubernetes documentation.

Creating an image pull secret

Create a secret containing your registry credentials:

kubectl create secret docker-registry my-registry-secret \
  --docker-server=REGISTRY_SERVER \
  --docker-username=USERNAME \
  --docker-password=PASSWORD \
  --docker-email=EMAIL

Replace the placeholders with your registry details:

  • REGISTRY_SERVER: The registry URL (e.g., https://index.docker.io/v1/ for Docker Hub, ghcr.io for GitHub, registry.gitlab.com for GitLab)
  • USERNAME: Your registry username
  • PASSWORD: Your registry password or access token
  • EMAIL: Your email address

Using the secret in your pods

Reference the secret in your pod specification:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-app
    image: my-registry.example.com/my-image:latest
  imagePullSecrets:
  - name: my-registry-secret
Previous
← Resource monitoring and pod autoscaling
Next
Accessing cloud APIs securely →
On this page