How to configure microk8s kubernetes to use private container's in https://hub.docker.com/?

Question

microk8s document "Working with a private registry" leaves me unsure what to do. The Secure registry portion says Kubernetes does it one way (no indicating whether or not Kubernetes' way applies to microk8), and microk8s uses containerd inside its implementation.

My YAML file contains a reference to a private container on dockerhub.

apiVersion: apps/v1 
kind: Deployment
metadata:
  name: blaw
spec:
  replicas: 1
  selector:
    matchLabels:
      app: blaw
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: blaw
    spec:
      containers:
        - image: johngrabner/py_blaw_service:v0.3.10
          name: py-transcribe-service

When I microk8s kubectl apply this file and do a microk8s kubectl describe, I get:

Warning  Failed     16m (x4 over 18m)     kubelet            Failed to pull image "johngrabner/py_blaw_service:v0.3.10": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/johngrabner/py_blaw_service:v0.3.10": failed to resolve reference "docker.io/johngrabner/py_blaw_service:v0.3.10": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

I have verified that I can download this repo from a console doing a docker pull command.

Pods using public containers work fine in microk8s.

The file /var/snap/microk8s/current/args/containerd-template.toml already contains something to make dockerhub work since public containers work. Within this file, I found

  # 'plugins."io.containerd.grpc.v1.cri".registry' contains config related to the registry
  [plugins."io.containerd.grpc.v1.cri".registry]

    # 'plugins."io.containerd.grpc.v1.cri".registry.mirrors' are namespace to mirror mapping for all namespaces.
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
        endpoint = ["https://registry-1.docker.io", ]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:32000"]
        endpoint = ["http://localhost:32000"]

The above does not appear related to authentication.

On the internet, I found instructions to create a secret to store credentials, but this does not work either.

microk8s kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/john/.docker/config.json --type=kubernetes.io/dockerconfigjson

Answer 1

While you have created the secret you have to then setup your deployment/pod to use that secret in order to download the image. This can be achieved with imagePullSecrets as described on the microk8s document you mentioned.

Since you already created your secret you just have reference it in your deployment:

...
    spec:
      containers:
        - image: johngrabner/py_blaw_service:v0.3.10
          name: py-transcribe-service
        imagePullSecrets:
        - name: regcred
...

For more reading check how to Pull an Image from a Private Registry.