Search code examples

Kubernetes and insecure registry

I am wonder, whether it could work..

We have services FOO and BAR, they are running it the same cluster with Docker Registry. Let's imagine this cluster is for production, not for development

We have CI/CD system which is responsible for building images and pushing them to docker registry.

Docker registry is used only in kubernetes private network, we wont push or pull images outside of cluster, because... Why should i do that?

|                                               |
|                           KUBERNETES          |
|    +-------+                                  |
|    | VCS   |          +----------+            |
|    |       <----------+          |            |
|    |       |          | CI/CD    |            |
|    +-------+  +-------+          |            |
|               |       +----------+            |
|               |                               |
|               |             +-----+           |
|      +--------v-----+ <-----+FOO  |           |
|      | INSECURE     |       +-----+           |
|      | DOCKER       |           +-------+     |
|      | REGISTRY     | <---------+BAR    |     |
|      +--------------+           +-------+     |

Is it possible to create docker registry with self signed certificate, and setup kubernetes to trust this registry?

Or this is overhead and it's better just use good certificate and go over public network?

Where do you store production ready docker images and where for staging?


  • Well, this looks like a very theoretical question. The only question which is could be answered unequivocally is:

    Is it possible to create docker registry with self signed certificate, and setup kubernetes to trust this registry?

    Of course, you can deploy your own Docker registry, e.g. Artifactory or something else. You definitely can create self signed certificate an use it, as well as you can use certificate issued by one of the Certificate Authorities. (note that it could be free, via Let's Encrypt, for example) Moving forward, to trust registry or not - it is not Kubernetes' task. It is a runtime's task, e.g. Docker or Rkt. So, if you want to use private registry, you will have to configure runtime's client to work with your registry, no matter secure or not.

    Everything else is not so clear-cut as we might think. The only thing i want to say is: practice shows that if You going to do something You have to do it Your way