Use Kubernetes with Artifactory Cloud

JFrog Artifactory Documentation
Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

Follow this guide to configure your Kubernetes server with an Artifactory container registry, and be able to pull your images from a private Artifactory registry.

To integrate Artifactory with Kubernetes, you need:

  • An artifactory instance with a configured Docker repository: for more information, see Set Up a Docker Repository.

  • A Kubernetes cluster.

To configure Kubernetes to pull containers from a private Artifactory registry:

  1. For each relevant namespace, create a Kubernetes docker-registry secret for connecting to your Artifactory by running the following command:

    kubectl create secret docker-registry regcred \
--docker-server=<JFROG-HOSTNAME> \
--docker-username=<JFROG-USERNAME> \
--docker-password=<PASSWORD> \
--docker-email=<EMAIL> \
--namespace <NAMESPACE>

    Note

    Make sure to replace the placeholders with your actual user information: for security reasons, it is best to choose a dedicated user which is not your Artifactory admin and has minimal required permissions.

    Variable

    Description

    JFROG-HOSTNAME

    Your JFrog hostname URL

    JFROG-USERNAME

    Your JFrog account username

    PASSWORD

    Your secret or JFrog identity token. Note that you can edit the token scope to restrict access to Artifactory.

    EMAIL

    The email address associated with your JFrog account

    NAMESPACE

    Your Kubernetes cluster namespace

    For example:

    ➜  ~ kubectl create secret docker-registry regcred \
--docker-server=my-artifactory.jfrog.io \
--docker-username=read-only \
--docker-password=my-super-secret-pass \
--docker-email=johndoe@example.com \
--namespace my-app-ns

  2. Set up Kubernetes to use the secret to pull images for your workloads. You can do this either for all the workloads in your namespace, or for each workload separately.

    1. To set the secret as default to your namespace (recommended), run the following command to edit your Service Account object and add your secret name into the imagePullSecrets list attribute:

      Note

      Make sure to replace the placeholder with your actual Kubernetes namespace

      ➜  ~ kubectl edit serviceaccount default -n <NAMESPACE>
apiVersion: v1
kind: ServiceAccount
imagePullSecrets:
- name: regcred
...

    2. To add the secret to every workload separately, add it into your object manifests and helm charts, see the below example:

      apiVersion: apps/v1
kind: Deployment
...
spec:
  ...
  template:
    spec:
      containers:
      - image: my-artifactory.jfrog.io/default-docker-virtual/my-app:1.0.1
      imagePullSecrets:
      - name: regcred

  3. Test your configuration by running the following command:

    Note

    Make sure to replace the placeholder with your actual Kubernetes namespace

    ➜  ~ kubectl get pods -n <NAMESPACE>

    You should get the following response:

    NAME                        READY   STATUS    RESTARTS   AGE
my-app-57db67b7d5-nr8db   1/1     Running   0          5m

Amazon EKS Integration

If you are using Amazon EKS, you can use JFrog’s seamless integration with AWS AssumeRole which allows JFrog Artifactory to securely serve container images to EKS. For more information, see Empowering Kubernetes Security: JFrog’s Seamless Integration with AWS AssumeRole.

For more information about Artifactory and Kubernetes, see Kubernetes Helm Chart Repositories.