Reputation: 1962
Automatically use secret when pulling from private registry
Is it possible to globally (or at least per namespace), configure kubernetes to always use an image pull secret when connecting to a private repo? There are two use cases:
- when a user specifies a container in our private registry in a deployment
- when a user points a Helm chart at our private repo (and so we have no control over the image pull secret tag).
I know it is possible to do this on a service account basis but without writing a controller to add this to every new service account created it would get a bit of a mess.
Is there are way to set this globally so if kube tries to pull from registry X it uses secret Y?
Thanks
Upvotes: 23
Views: 20393
Answers (2)
Reputation: 8942
As far as I know, usually the default serviceAccount is responsible for pulling the images. To easily add imagePullSecrets to a serviceAccount you can use the patch command:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "mySecret"}]}'
It's possible to use kubectl patch in a script that inserts imagePullSecrets on serviceAccounts across all namespaces.
If it´s too complicated to manage multiple namespaces you can have look at kubernetes-replicator, which syncs resources between namespaces.
Solution 2:
This section of the doc explains how you can set the private registry on a node basis:
Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:
- Run
docker login [server]for each set of credentials you want to use. This updates$HOME/.docker/config.json.- View
$HOME/.docker/config.jsonin an editor to ensure it contains just the credentials you want to use.Get a list of your nodes, for example:
If you want the names:
nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')If you want to get the IPs:
nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')Copy your local .docker/config.json to one of the search paths list above. for example:
for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done
Solution 3:
A (very dirty!) way I discovered to not need to set up an imagePullSecret on a deployment / serviceAccount basis is to:
- Set ImagePullPolicy: IfNotPresent
- Pulling the image in each node
2.1. manually usingdocker pull myrepo/image:tag.
2.2. using a script or a tool like docker-puller to automate that process.
Well, I think I don't need to explain how ugly is that.
PS: If it helps, I found an issue on kubernetes/kops about the feature of creating a global configuration for private registry.
Upvotes: 28
Reputation: 492
Two simple questions, where are you running your k8s cluster? Where is your registry located? Here there are a few approaches to your issue: https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry
Upvotes: -1
Related Questions
- Kubernetes pull from insecure docker registry
- Helm create secret from env file
- Kubernetes pull from local registry not working, how to fix that?
- How to secure docker private registry credentials used in Kubernetes cluster nodes and namespaces?
- Kubernetes can't use secret for private docker repository
- Using kubernetes secrets in a configmap
- How to specify registry credentials on kubectl set image?
- Private Registry is not accessible from Rancher Deployment using Helm chart
- Private registry with Kubernetes
- How do I make my Kubernetes replication controller use a certain secret to pull an image?