Skip to content

Feature: Kubernetes: Registry Admin

Jump to bottom Edit New page
Stef Walter edited this page Aug 24, 2015 · 21 revisions

Search/List/Delete Images in Cluster Registry

Notes

  • Openshift, Origin and Atomic ship with a local image registry deployed as a service in the Kubernetes cluster.

Stories

Phillip J. Fry leads IT at a moderatly sized firm. His company has a modest data center, and has deployed Atomic with Kubernetes as a way of scheduling containers in the data center.

Phillip gets a complaint that one of of the containerized applications is out of date and not running the latest code. He wants to check that the required latest image tags are present.

Amy Wong is an admin and helps with security of an Atomic cluster hardware.

An audit of the images in the cluster shows that two images have been committed with secrets embedded in their layers. Amy wants to look at these images, their metadata, and then remove them from the cluster image registry.

Scruffy is the cluster janitor. It sucks to be Scruffy, but since the automated tooling at Planet Express has not yet been implemented ... he gets to clean up ancient docker image builds that the system has left around taking up space.

Workflows

Phillip: Search by Name, View Repository, View Tag

  • Phillip clicks the sidebar "Images" button.
  • He sees a paginated list of the images in the registry.
  • There is a search box above the paginated list.
  • He types the name of the image of his application component, and clicks Search
  • Since there's only one result, and he typed the name exactly, he sees the repository details view.
  • The view contains:
    • Tags, identified their name. For each one
      • Its digest and hash of top layer
      • ImageStream that the tagged image is part of
        • Any nested tags of that ImageStream
      • The layers that make up the tag
  • Phillip can identify which tags are present and what their hashes are.

Amy: Search by Digest, Delete

  • Phillip clicks the sidebar "Images" button.
  • Amy pastes a digest (or image id?) into the search box
    • TODO: Work out how she indicates that this is a digest or layer id
  • Because she typed a digest she only sees tags
  • Amy examines the list, and determines that she should delete them all
  • She clicks into quick delete mode.
  • Presses the trash icon next to each of them.

Scruffy: Delete stuff

  • Scruffy can delete whole repositories
  • Scruffy can delete tags
  • Scruffy can delete layers

Wireframes

... Wireframes incomplete ...

Implementation Notes and Technical Limitations

  • The registry is not an inherent part of Kubernetes but runs as a service in pods. So we should react intelligently if it's not running.
    • Perhaps offer to add it to the cluster if not present?
  • The Docker v2 REST Registry API is the basis for openshift's image registry.
  • A client certificate is necessary to access the image registry.
  • Three possible ways to connect to the image registry:
    • Reconfigure docker (and restart it) to do so
    • Lookup endpoint and access that address directly
    • Via a REST proxy URL in the API Server
      https://localhost:8443/api/v1/proxy/namespaces/default/services/docker-registry:5000-tcp/v2/
  • Authenticating against the registry:
    • Registry doesn't seem to be listening on SSL
    • Without SSL, authenticating against registry requires
      Authentication: Basic B64(unused:token)
    • If listening on SSL, we may be able to use admin certs. But lose the ability to use REST proxy above.
    • Want to have a token for access. When logged in with a token, we can read from kube config.
      • However when authenticated as system:admin no token is available.
        • Ensure serivce account exists: openshift-infra/registry-admin with access system:image-pruner
        • Lookup token for this service account and use it
  • Image streams are sort of like docker repos
    • The images themselves can have UI tags
  • Need to find key to correlate between docker registry v2 API and Openshift API server Kubernetes style objects.
  • Search is harder to implement than just filtering client side.
  • Suggestion: Implement an docker repository v2 API.
    • Listing repositories, searching for them
    • Click on repositories to show info it, and the repository it tracks.
  • Question: Does one ImageStream point to a single repository, or multiple tags in mulitple repositories.
  • ... Research incomplete ...
  • Can we search based on an image id? Can we find all images that have a given layer in their graph.
    • Used to implement searching for and deleting an image that had bad/private data in it.

Prior Art

Docker Online

Unknown screenshot from 2015-08-20 17-33-45

docker-registry-frontend: https://github.com/kwk/docker-registry-frontend/wiki/Features

Docker Registry Web

Shipway

Feedback

Please give feedback on the above! This is the place where those not working on the feature can provide insight, questions, limitations, notes etc.

  • ... (sign name)

Home / About / Contributing / Cockpit project website

Home

About

Contributing

Design Guidelines

Team/Project guidelines

User Experience Research

Clone this wiki locally