Kubernetes & Gitlab: How to store password for private registry?

Question

I want to run my application that is hosted in a private container registry on a Kubernetes cluster. I followed the instructions here and created a secret like this:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> \
      --docker-username=<your-name> \
      --docker-password=<your-pword> \
      --docker-email=<your-email>

which is used in my deployment like this:

      containers:
      - image: registry.gitlab.com/xxxxx/xxxx
        name: dockerdemo
        resources: {}
      imagePullSecrets:
      - name: regcred

K8s is now able to pull the image from my private registry. Anyhow I don't feel comfortable that my user and password are stored in plain text in the cluster. Is there a better/more secure way to give the K8s cluster access to the registry maybe by a token?

Answer 1

Hence I am using Gitlab the solution for me know is not to store my user credentials in Kubernetes. Instead I am using a Deploy Token that can be removed any time and that only has access to the container registry.

The following steps are necessary here:

• Open Gitlab and go to your project
• Settings > Access Tokens > Add new token
• Create a token with scope read_registry
• Create secret in K8S: kubectl create secret docker-registry regcred --docker-server=registry.gitlab.com --docker-username=<token_username> --docker-password=<token> -n <kubernetes_namespace>

Thank you @Jonas for your links but this solution is what I was looking for.

Answer 2

Anyhow I don't feel comfortable that my user and password are stored in plain text in the cluster. Is there a better/more secure way to give the K8s cluster access to the registry maybe by a token?

See Encrypting Secret Data at Rest for how to ensure that your Secrets is encrypted in etcd.

Alternatively you can consider to use Vault to store secrets. See e.g. How Monzo bank security team handle secrets