Grant JWA Access to Private Registry¶
This guide will walk you through enabling Jupyter Web App (JWA) to create Notebooks using images pulled from a private registry.
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- An existing Kubeflow deployment.
- A Docker ID and password.
Procedure¶
Log in to Docker:
root@rok-tools:~# docker login Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one. Username: user Password:
Logging in to Docker will create or update a
config.json
file that holds an authorization token. View the file and verify it has the correct format, based on the example output below:root@rok-tools:~# cat ~/.docker/config.json { "auths": { "https://index.docker.io/v1/": { "auth": "c3R...zE2" } } }
Create a Secret based on your existing Docker credentials:
root@rok-tools:~# kubectl create secret generic regcred \ > --from-file=.dockerconfigjson=.docker/config.json \ > --type=kubernetes.io/dockerconfigjson secret/regcred created
Inspect the Secret to verify that it was created:
root@rok-tools:~# kubectl get secret regcred --output=yaml
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deployments
Create a
PodDefault
using the previously created Secret asimagePullSecret
:apiVersion: kubeflow.org/v1alpha1 kind: PodDefault metadata: name: access-prv-registry spec: desc: Allow access to private registry selector: matchLabels: registry-pull-secret: "true" imagePullSecrets: - name: regcred # < -- Update this line with the name of your Secret.
Note
Notice the
selector.matchLabels
field, this PodDefault will be applied to every Pod that contains the labelregistry-pull-secret: "true"
in its spec. Jupyter Web App will now show this new PodDefault in the "Configurations" section.(Optional) If you want to make the PodDefault selected by default, edit
kubeflow/manifests/apps/jupyter/jupyter-web-app/upstream/overlays/deploy/patches/config-map.yaml
and append the above label, that is,registry-pull-secret
to the existingspawnerFormDefaults.configurations.value
list.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Allow pulling private images when creating Notebooks"
Note
You must also commit both
Secret
andPodDefault
in your GitOps repository.Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/apps/jupyter/jupyter-web-app/upstream/overlays/deploy
Restart the JWA pod so that it "sees" the change in the
jupyter-web-app-config
ConfigMap:root@rok-tools:~/ops/deployments# kubectl delete pods -n kubeflow -l app.kubernetes.io/name=jupyter-web-app
Summary¶
You have successfully granted JWA access to your private registry.
What's Next¶
Check out the rest of the operations you can perform on your Kubeflow deployment.