Creating a private docker registry for Kubernetes

4/23/2020
Maxime Moreillon
DevOpsKubernetesDocker

Creating a private docker registry for Kubernetes

A docker registry can be run easily using as a docker container using docker itself.

docker run -d -p 5000:5000 --restart=always --name registry registry:2

However, this registry is accessed through HTTP and does not provide any authentication mechanism

To solve this problem, the docker registry can be made so as to be accessed via an Ingress with Basic Authentication:

kind: Service
apiVersion: v1
metadata:
 name: registry
spec:
 type: ClusterIP
 ports:
 - port: 5000
   targetPort: 5000
---
kind: Endpoints
apiVersion: v1
metadata:
 name: registry
subsets:
 - addresses:
     - ip: 192.168.1.2
   ports:
     - port: 5000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: registry
  annotations:
    kubernetes.io/ingress.class: "nginx"

    # Necessary to prevent 413 errors
    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
    nginx/client_max_body_size: 500m

    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: registry
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
  tls:
  - hosts:
    - registry.example.com
    secretName: registry
  rules:
  - host: registry.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: registry
          servicePort: 5000

Here, it is important to specify the maximum body size in the Ingress annotations to prevent 413 Request Entity Too Large errors

Solving UFW not blocking access to registry

Taken from here

Modify the UFW configuration file /etc/ufw/after.rules and add the following rules at the end of the file:

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

Creating secret to pull images from the registry

microk8s.kubectl create secret generic registry-credentials     --from-file=.dockerconfigjson=/home/yourUser/.docker/config.json --type=kubernetes.io/dockerconfigjson --namespace=your-namespace