How to Update Your Kubernetes Application Container Registry Before the Community Registry Change
As part of the Kubernetes community's ongoing effort to improve security and maintain the integrity of container images, they periodically deprecate container image repositories. This means that applications running on Kubernetes clusters using the deprecated repositories will no longer receive updates or patches, and may be vulnerable to security risks.
To ensure that your applications continue to receive updates and remain secure, you need to update your application's container registry ahead of the community change. In this blog post, we will walk you through the steps to do this on Amazon EKS.
Step 1: Check Your Current Container Images
The first step is to check which container images are currently in use by your applications. You can do this using the following command:
1kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |tr -s '[[:space:]]' '\n' |sort |uniq -c | grep "k8s.gcr.io"
This command will show you a list of container images that are currently running on your Kubernetes cluster and are using the deprecated repositories.
Step 2: Get the DaemonSet for Your Application
Next, you need to get the DaemonSet for your application. You can do this using the following command:
1kubectl get ds -n <namespace>
Replace <namespace> with the name of the namespace where your application is running.
Step 3: Edit the Image Pull Policy
Once you have the DaemonSet for your application, you need to edit its image pull policy. You can do this using the following command:
1kubectl edit ds <name> -n <namespace>
Replace <name> with the name of your application's DaemonSet, and <namespace> with the name of the namespace where your application is running.
In the editor that opens, find the image pull policy for your application's containers and change it from k8s.gcr.io to registry.k8s.io. Save and exit the editor.
Step 4: Check for Pods Running on Old Registry
Next, check whether there are any pods still running on the old registry. You can do this using the following command:
1kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |tr -s '[[:space:]]' '\n' |sort |uniq -c | grep "k8s.gcr.io"
This command will show you a list of container images that are still running on the deprecated repositories.
Step 5: Check for Pods Running on New Registry
Finally, check whether your application's pods are running on the new registry. You can do this using the following command:
1kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |tr -s '[[:space:]]' '\n' |sort |uniq -c | grep "registry.k8s.io"
This command will show you a list of container images that are now running on the new registry.
By following these steps, you can update your Kubernetes application's container registry ahead of the community change, ensuring that your application remains secure and up-to-date.