-
Notifications
You must be signed in to change notification settings - Fork 8.4k
dhi: add guide to use in Kubernetes #23393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| --- | ||
| title: Use a Docker Hardened Image in Kubernetes | ||
| linktitle: Use an image in Kubernetes | ||
| description: Learn how to use Docker Hardened Images in Kubernetes deployments. | ||
| keywords: use hardened image, kubernetes, k8s | ||
| weight: 35 | ||
| --- | ||
|
|
||
| {{< summary-bar feature_name="Docker Hardened Images" >}} | ||
|
|
||
| ## Authentication | ||
|
|
||
| To be able to use Docker Hardened Images in Kubernetes, you need to create a | ||
| Kubernetes secret for pulling images from your mirror or internal registry. | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > You need to create this secret in each Kubernetes namespace that uses a DHI. | ||
|
|
||
| Create a secret using a Personal Access Token (PAT). Ensure the token has at least | ||
| read-only access to private repositories. For Docker Hub replace `<registry server>` | ||
| with `docker.io`. | ||
|
|
||
| ```console | ||
| $ kubectl create -n <kubernetes namespace> secret docker-registry <secret name> --docker-server=<registry server> \ | ||
| --docker-username=<registry user> --docker-password=<access token> \ | ||
| --docker-email=<registry email> | ||
| ``` | ||
|
|
||
| To tests the secrets use the following command: | ||
|
|
||
| ```console | ||
| kubectl apply --wait -f - <<EOF | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: dhi-test | ||
| namespace: <kubernetes namespace> | ||
| spec: | ||
| containers: | ||
| - name: test | ||
| image: <your-namespace>/dhi-bash:5 | ||
| command: [ "sh", "-c", "echo 'Hello from DHI in Kubernetes!'" ] | ||
| imagePullSecrets: | ||
| - name: <secret name> | ||
| EOF | ||
|
LaurentGoderre marked this conversation as resolved.
|
||
| ``` | ||
|
|
||
| Get the status of the pod by running: | ||
|
|
||
| ```console | ||
| $ kubectl get -n <kubernetes namespace> pods/dhi-test | ||
| ``` | ||
|
|
||
| The command should return the following result: | ||
|
|
||
| ```console | ||
| NAME READY STATUS RESTARTS AGE | ||
| dhi-test 0/1 Completed ... ... | ||
| ``` | ||
|
|
||
| If instead, the result is the following, there might be an issue with your secret. | ||
|
|
||
| ```console | ||
| NAME READY STATUS RESTARTS AGE | ||
| dhi-test 0/1 ErrImagePull 0 ... | ||
| ``` | ||
|
|
||
| Verify the output of the pod by running, which should return `Hello from DHI in Kubernetes!` | ||
|
|
||
| ```console | ||
| kubectl logs -n <kubernetes namespace> pods/dhi-test | ||
| ``` | ||
|
|
||
| After a successful test, the test pod can be deleted with the following command: | ||
|
|
||
| ```console | ||
| $ kubectl delete -n <kubernetes namespace> pods/dhi-test | ||
| ``` | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also explicitly state run as non root so we have a fail-fast safety net?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could but I was trying to keep the spec as minimal as possible.