Using IBM Cloud Container Registry (ICR)

    • Install and configure the IBM Cloud CLI.
    • Install the CLI plug-in for the IBM Cloud Container Registry by running the command .
    • Create a namespace in ICR with the command ibmcloud cr namespace-add <my_namespace>, replace <my_namespace> with your preferred name.

    Note: The is different from the Kubeflow Profile namespace. The ICR namespace is used to group container images stored in ICR, while a Kubeflow Profile namespace is a group of all Kubernetes clusters owned by a user.

    As a Kubernetes cluster uses the Secret of docker-registry type to authenticate with a container registry to pull a private image, it needs an image pull secret to pull container images from IBM Cloud Container Registry. You can use the default image pull secret set up by the cluster or your account’s IAM API key.

    By default, the IBM Cloud Kubernetes cluster is set up to pull images from only your account’s namespace in IBM Cloud Container Registry by using the secret all-icr-io in the default namespace. A cluster admin can copy this secret to any Kubernetes namespace used as Kubeflow profile. For example, run below command to copy the secret all-icr-io to the anonymous namespace:

    Once this secret is ready in your Kubeflow profile, a data scientist can use it to pull container images from ICR.

    You will need an IBM Cloud IAM API Key to work with ICR if you:

    1. Have no access to the default image pull secret all-icr-io from the namespace.
    2. Need customized IAM policy by using a separate IAM service ID.

    If you don’t have an IBM Cloud IAM API Key, follow the official guide .

    Once you get your IBM Cloud IAM API Key, run the following command:

    Notes:

    • <my_namespace>: your namespace to use with ICR to create an image pull secret.
    • <ibm_cloud_iam_api_key>: your IBM Cloud API Key.
    • <secret_name>: a unique name for the pull image secret, such as us-icr-io, for example.
    • <registry_domain_name>: the image registry where your registry namespace is set up. Use regional domain name when storing container images in specific region, such as us.icr.io when using region en-us and uk.icr.io when using region . See full list of regional domain names from the About IBM Cloud Container Registry page.

    When a namespace is created for Kubeflow with its profile controller, a default service account default-editor is created in that namespace. Before creating a Notebook Server, run following command to patch the service account. Replace <secret_name> with the ICR pull image secret name and <my_namespace> with the Kubeflow profile namespace.

    Replace <my_namespace> with your namespace then run below command to patch the service account with this image pull secret:

    The service account should be updated. Then, when you create the Notebook Server through Kubeflow dashboard, you should be able to choose a Custom Image. Afterwards, set the notebook image path from the ICR as follows: