/DOCS
Облачная платформаAdvanced

Using Third-Party Images

Эта статья полезна?
Язык статьи: Английский
Перевести

Third-party images are container images provided by organizations or individuals other than the official image repository and SWR image repository. These images typically contain custom applications, tools, or specific versions of OSs to meet particular service requirements. In a CCE standard or Turbo cluster, you can create workloads using third-party images pulled through secret authentication. For more information, see Using a Private Registry.

Prerequisites

If third-party images are used, the CCE standard or Turbo cluster must be able to access the network environment where the third-party image repository is deployed. The network access types include:

  • Private access: If the third-party image repository supports private access, consider the following scenarios:
    • If the third-party image repository is in the same VPC as the cluster, pods can directly pull images over the intranet without additional configurations.
    • If the third-party image repository and the cluster are in different VPCs in the same region, you can use a VPC peering connection to enable network connectivity between the two VPCs. Pods can then directly pull images over the intranet.
  • Public access: If the third-party image repository is accessible over the Internet, pods can pull images directly. In this case, ensure the pods can access the Internet using one of the following methods:
    Note

    Ensure sufficient bandwidth when pulling images over the Internet. Insufficient bandwidth may cause slow or failed image pulls.

    • In a standard or Turbo cluster, configure an SNAT rule to enable all pods in the cluster to access the Internet. After the configuration, pods can pull images directly over the Internet. For details, see Accessing the Internet from a Container.
    • In a standard cluster, bind an EIP to the node running the workload. This allows all workloads on that node to access the Internet.
  • Direct Connect or VPN: To use images from an on-premises image repository, use Direct Connect or VPN to connect the on-premises network to the cluster's VPC. Once the network environment is connected to the VPC, no additional configuration is needed.

Using the Console

To create a secret on the console and pull a third-party image to create a workload, follow these steps.

  1. Create a cluster secret to authenticate and pull images from a third-party repository if authentication is required.

    1. Log in to the CCE console.
    2. Click the name of the target cluster to access the cluster.
    3. In the navigation pane, choose ConfigMaps and Secrets. On the Secrets tab, click Create Secret.
    4. In the Create Secret dialog box, configure parameters based on Table 1. For more details, see Creating a Secret.

    Table 1 Parameters for creating a secret

    Parameter

    Example Value

    Description

    Name

    test

    Secret name.

    Enter up to 253 characters. Start and end with a lowercase letter or digit. Only lowercase letters, digits, hyphens (-), and periods (.) are allowed.

    Secret Type

    kubernetes.io/dockerconfigjson

    Secret type.

    The value is fixed at kubernetes.io/dockerconfigjson, indicating that the secret is used for authentication when third-party images are pulled.

    Data

    Image Repository Address: www.example.com

    Username: ssl

    Password: xxx

    • Image Repository Address: Enter the address of the third-party image repository.
    • Username: Enter the username for accessing the third-party image repository.
    • Password: Enter the password for accessing the third-party image repository.

  2. In the navigation pane, choose Workloads. In the upper right corner of the displayed page, click Create Workload. On the Create Workload page, set Image Name (Container Settings > Container Information > Basic Info) to the third-party image path. Select the secret created in 1 for Image Access Credential.

    Caution

    If you do not specify a domain name when entering a third-party image address, for example, nginx:latest, the image will be pulled from docker.io by default. To specify the default image pull address, configure the Modify Image Repository Configuration parameter in the container engine configuration of the node pool.

  3. Configure other parameters and click Create Workload. If the workload status is Running, the third-party image has been pulled.

Using kubectl

  1. Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.
  2. If the third-party image repository has an account and password, create a secret in the cluster as the identity credential for pulling images.

    1. Create a secret. The secret type is kubernetes.io/dockerconfigjson by default, which indicates that the secret is used for authentication when third-party images are pulled.
      kubectl create secret docker-registry test  -n default --docker-server=www.example.com --docker-username=ssl --docker-password=xxx --docker-email=example@123.com

      In the command, test indicates the secret name, default indicates the namespace where the secret is located, and other parameters are described in the following table.

      Table 2 Secret parameters

      Parameter

      Example Value

      Description

      docker-server

      www.example.com

      Enter the address of the third-party image repository.

      docker-username

      ssl

      Enter the username for accessing the third-party image repository.

      docker-password

      xxx

      Enter the password for accessing the third-party image repository.

      docker-email

      example@123.com

      Email address of the third-party image repository. This parameter is optional.

      Information similar to the following is displayed:

      secret/test created
    2. Check whether the secret has been created.
      kubectl get secret

      If the following information is displayed, the secret has been created:

      NAME             TYPE                             DATA   AGE
      default-secret   kubernetes.io/dockerconfigjson   1      41h
      paas.elb         cfe/secure-opaque                1      41h
      test             kubernetes.io/dockerconfigjson   1      16s

  3. Create a workload using a third-party image.

    1. Create a YAML file for creating a workload. In this example, the file name is deployment.yaml. You can change it as needed.
      vim deployment.yaml

      The file content is as follows:

      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: foo
        namespace: default
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: foo
        strategy:
          type: RollingUpdate
        template:
          metadata:
            labels:
              app: foo
          spec:
            containers:
            - image: www.example.com/janedoe/awesomeapp:v1    # Third-party image path
              imagePullPolicy: Always
              name: foo
            imagePullSecrets:
            - name: test    # Use the created secret for identity authentication when images are pulled.

      Caution

      If you do not specify a domain name when entering a third-party image address, for example, nginx:latest, the image will be pulled from docker.io by default. To specify the default image pull address, configure the Modify Image Repository Configuration parameter in the container engine configuration of the node pool.

    2. Create the workload.
      kubectl create -f deployment.yaml

      If information similar to the following is displayed, the workload is being created:

      deployment.apps/foo created
    3. Check the workload status.
      kubectl get deployment

      If all the pods of the workload are available, the workload has been created.

      NAME     READY   UP-TO-DATE   AVAILABLE   AGE
      foo      1/1     1            1           4m59s

Parent topic: Configuring a Workload
Поддержка Юридические документы
© 2026 Cloud.ru