I have built a 4 node kubernetes cluster running multi-container pods all running on CoreOS. The images come from public and private repositories. Right now I have to log into each node and manually pull down the images each time I update them. I would like be able to pull them automatically. I have tried running docker login on each server and putting the .dockercfg file in /root and /core I have also done the above with the .docker/config.json I have added secret to the kube master and added imagePullSecrets: name: docker.io to the Pod configuration file. When I create the pod i get the error message Error: image <user/image>:latest not found If I log in and run docker pull it will pull the image. I have tried this using docker.io and quay.io.

Reputation: 505

Pulling images from private registry in Kubernetes

I have built a 4 node kubernetes cluster running multi-container pods all running on CoreOS. The images come from public and private repositories. Right now I have to log into each node and manually pull down the images each time I update them. I would like be able to pull them automatically.

I have tried running docker login on each server and putting the .dockercfg file in /root and /core
I have also done the above with the .docker/config.json
I have added secret to the kube master and added imagePullSecrets:
- name: docker.io to the Pod configuration file.

When I create the pod i get the error message Error:

image <user/image>:latest not found

If I log in and run docker pull it will pull the image. I have tried this using docker.io and quay.io.

Upvotes: 49

Answers (7)

mati kepa

Reputation: 3191

go the easy way, do not forget to define --type and add it to proper namespace

kubectl create secret generic YOURS-SECRET-NAME \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson

Upvotes: 0

MagMax

Reputation: 2683

The easiest way to create the secret with the same credentials that your docker configuration is with:

kubectl create secret generic myregistry --from-file=.dockerconfigjson=$HOME/.docker/config.json

This already encodes data in base64.

If you can download the images with docker, then kubernetes should be able to download them too. But it is required to add this to your kubernetes objects:

spec:
  template:
    spec:
      imagePullSecrets:
      - name: myregistry
      containers:
      # ...

Where myregistry is the name given in the previous command.

Upvotes: 1

delfer

Reputation: 544

I can confirm that imagePullSecrets not working with deployment, but you can

kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
kubectl edit serviceaccounts default

Add

imagePullSecrets:
- name: myregistrykey

To the end after Secrets, save and exit. And its works. Tested with Kubernetes 1.6.7

Upvotes: 11

Rob

Reputation: 2456

Kubernetes supports a special type of secret that you can create that will be used to fetch images for your pods. More details here.

Upvotes: 9

Chief

Reputation: 1261

To add to what @rob said, as of docker 1.7, the use of .dockercfg has been deprecated and they now use a ~/.docker/config.json file. There is support for this type of secret in kube 1.1, but you must create it using different keys/type configuration in the yaml:

First, base64 encode your ~/.docker/config.json:

cat ~/.docker/config.json | base64 -w0

Note that the base64 encoding should appear on a single line so with -w0 we disable the wrapping.

Next, create a yaml file: my-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: registrypullsecret
data:
  .dockerconfigjson: <base-64-encoded-json-here>
type: kubernetes.io/dockerconfigjson

$ kubectl create -f my-secret.yaml && kubectl get secrets

NAME                  TYPE                                  DATA
default-token-olob7   kubernetes.io/service-account-token   2
registrypullsecret    kubernetes.io/dockerconfigjson        1

Then, in your pod's yaml you need to reference registrypullsecret or create a replication controller:

apiVersion: v1
kind: Pod
metadata:
  name: my-private-pod
spec:
  containers:
    - name: private
      image: yourusername/privateimage:version
  imagePullSecrets:
    - name: registrypullsecret

Upvotes: 96

Bcf Ant

Reputation: 1749

If you need to pull an image from a private Docker Hub repository, you can use the following.

Create your secret key

kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

secret "myregistrykey" created.

Then add the newly created key to your Kubernetes service account.

Retrieve the current service account

kubectl get serviceaccounts default -o yaml > ./sa.yaml

Edit sa.yaml and add the ImagePullSecret after Secrets

imagePullSecrets:
- name: myregistrykey

Update the service account

kubectl replace serviceaccount default -f ./sa.yaml

Upvotes: 38

Jane

Reputation: 707

For centos7, the docker config file is under /root/.dockercfg

echo $(cat /root/.dockercfg) | base64 -w 0

Copy and paste result to secret YAML based on the old format:

apiVersion:  v1
kind: Secret
metadata:
  name: docker-secret
  type: kubernetes.io/dockercfg
data:
  .dockercfg: <YOUR_BASE64_JSON_HERE>

And it worked for me, hope that could also help.

Upvotes: 3

Pulling images from private registry in Kubernetes

Answers (7)

Related Questions