Is there a way to configure docker hub pro user in kubernetes?

Question

We've just bought a docker hub pro user so that we don't have to worry about pull rate limits.

Now, I'm currently having a problem trying to to set the docker hub pro user. Is there a way to set the credentials for hub.docker.com globally?

In the kubernetes docs I found following article: Kubernetes | Configure nodes for private registry

On every node I executed a docker login with the credentials, copied the config.json to /var/lib/kubelet and restarted kubelet. But I'm still getting an ErrImagePull because of those rate limits.

I've copied the config.json to the following places:

• /var/lib/kubelet/config.json
• /var/lib/kubelet/.dockercfg
• /root/.docker/config.json
• /.docker/config.json

There is an option to use a secret for authentification. The problem is, that we would need to edit hundreds of statefulsets, deployments and deamonsets. So it would be great to set the docker user globally.

Here's the config.json:

{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "[redacted]"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.13 (linux)"
        }
}

To check if it actually logs in with the user I've created an access token in my account. There I can see the last login with said token. The last login was when I executed the docker login command. So the images that I try to pull aren't using those credentials.

Any ideas?

Thank you!

Answer 1

I ran into the same problem as OP. It turns out, putting docker credential files for kubelet works for kubernetes version 1.18 or higher. I have tested here and can confirm that kubelet 1.18 picks up the config.json placed in /var/lib/kubelet correctly and authenticates the docker registry.

Answer 2

We use docker-registry as a proxy cache in our Kubernetes clusters, Docker Hub credentials may be set in the configuration. Docker daemons on Kubernetes nodes are configured to use the proxy by setting registry-mirror in /etc/docker/daemon.json.

This way, you do not need to modify any Kubernetes manifest to include pull secrets. Our complete setup is described in a blog post.

Answer 3

Kubernetes implements this using image pull secrets. This doc does a better job at walking through the process.

Using the Docker config.json:

kubectl create secret generic regcred \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

Or you can pass the settings directly:

kubectl create secret docker-registry <name> --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

Then use those secrets in your pod definitions:

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey

Or to use the secret at a user level (Add image pull secret to service account)

1. kubectl get serviceaccounts default -o yaml > ./sa.yaml

2. open the sa.yaml file, delete line with key resourceVersion, add lines with imagePullSecrets: and save.

   kind: ServiceAccount
   metadata:
     creationTimestamp: "2020-11-22T21:41:53Z"
     name: default
     namespace: default
     selfLink: /api/v1/namespaces/default/serviceaccounts/default
     uid: afad07eb-f58e-4012-9ccf-0ac9762981d5
   secrets:
   - name: default-token-gkmp7
   imagePullSecrets:
   - name: regcred
   
   

3. Finally replace the serviceaccount with the new updated sa.yaml file kubectl replace serviceaccount default -f ./sa.yaml