1
00:00:01,000 --> 00:00:05,720
In this lecture we will talk about securing images.

2
00:00:05,810 --> 00:00:11,870
We will start with the basics of image names and then work our way towards secure image repositories

3
00:00:12,320 --> 00:00:19,500
and how to configure your pods to use images from secure repositories we deployed a number of different

4
00:00:19,500 --> 00:00:24,840
kinds of pods hosting different kinds of applications throughout this course like web apps and databases

5
00:00:24,840 --> 00:00:27,260
and redis cache etc.

6
00:00:27,390 --> 00:00:29,580
Let's start with a simple pod definition file.

7
00:00:29,580 --> 00:00:36,610
Here we have used the nginx image to deploy an nginx container.

8
00:00:36,720 --> 00:00:38,890
Let's take a closer look at this image.

9
00:00:38,890 --> 00:00:47,640
The name is nginx. But what is this image and where is this image pulled from? This name follows

10
00:00:47,670 --> 00:00:50,900
Docker’s image naming convention. NGINX

11
00:00:50,900 --> 00:00:54,320
Here is the image or the repository name.

12
00:00:54,510 --> 00:00:58,690
When you say nginx, its actually nginx/nginx.

13
00:00:58,700 --> 00:01:03,090
The first part stands for the user or account name.

14
00:01:03,360 --> 00:01:10,290
Like if you created an account on Docker Hub yourself then the user account that you would get is the

15
00:01:10,290 --> 00:01:17,290
first part if you don't provide an account name here it assumes it to be the same as the repository

16
00:01:17,290 --> 00:01:17,830
name.

17
00:01:17,830 --> 00:01:25,030
Which in this case is nginx if you were to create your own account and create your own repositories

18
00:01:25,030 --> 00:01:31,650
or images under it then you would use a similar pattern now where are these images stored and pulled

19
00:01:31,650 --> 00:01:37,920
from since we have not specified the location where these images are to be pulled from.

20
00:01:37,970 --> 00:01:46,150
it is assumed to be on docker’s default registry – dockerhub. The dns name for which is docker.io.

21
00:01:46,150 --> 00:01:54,350
The registry is where all the images are stored whenever you create a new image or update an existing

22
00:01:54,350 --> 00:02:01,850
image you push it to the registry and every time anyone deploys this application it is pulled from that

23
00:02:01,850 --> 00:02:03,540
registry.

24
00:02:03,650 --> 00:02:06,320
There are many other popular registries as well.

25
00:02:07,800 --> 00:02:15,220
Google’s registry is at gcr.io, where a lot of Kubernetes related images are stored.

26
00:02:15,310 --> 00:02:22,600
These are all publicly accessible images that anyone can download and access when you have applications

27
00:02:22,600 --> 00:02:26,260
built in-house  that shouldn’t be made available to the public,

28
00:02:26,340 --> 00:02:30,270
Hosting an internal private registry may be a good solution.

29
00:02:30,300 --> 00:02:38,010
Many cloud service providers such as AWS, Azure or GCP provide a private regist for your cloud account

30
00:02:38,130 --> 00:02:42,170
by default. On any of these solutions

31
00:02:42,190 --> 00:02:46,910
be it on Docker hub or googles registry, or your internal private registry,

32
00:02:46,990 --> 00:02:53,840
You may choose to make a repository private so that it can be accessed using a set of credentials from

33
00:02:53,840 --> 00:03:00,950
a Docker perspective to run a container using a private image, you first login to your private-registry

34
00:03:00,950 --> 00:03:08,240
Using the docker log in command input your credentials one successful run the application using the

35
00:03:08,240 --> 00:03:09,860
image from the private registry

36
00:03:12,470 --> 00:03:17,960
Going back to our pod definition file, to use an image from our private registry

37
00:03:17,960 --> 00:03:23,690
We replace the image name with the full path to the one in the private registry.

38
00:03:23,690 --> 00:03:28,230
But how do we implement the authentication log in part.

39
00:03:28,250 --> 00:03:33,790
How does Kubernetes get the credentials to access the private registry within kubernetes

40
00:03:33,800 --> 00:03:39,160
We know that the images are pulled and run by the docker runtime on the worker node.

41
00:03:39,260 --> 00:03:45,170
How do you pass the credentials to the docker untamed on the worker node for that

42
00:03:45,190 --> 00:03:49,330
We first create a secret object with the credentials in it.

43
00:03:49,390 --> 00:03:57,820
The secret is of type Docker registry and we name it Regcred Docker registry is a built in secret

44
00:03:57,820 --> 00:04:02,260
type that was built for storing Docker credentials.

45
00:04:02,260 --> 00:04:08,860
We then specify the registry server name the user name to access the registry the password and the email

46
00:04:08,860 --> 00:04:11,870
address of the user.

47
00:04:11,890 --> 00:04:19,540
We then specify the secret inside our pod definition file under the image Pull secret section when

48
00:04:19,540 --> 00:04:26,140
the pod created kubernetes or the kubelets on the worker node uses the credentials from the secret

49
00:04:26,320 --> 00:04:30,660
to pull images well that's it for this lecture.

50
00:04:30,690 --> 00:04:35,860
Head over to the practice exercises section and practice working with secure images.