Reputation: 131
How can you use a private gitlab container registry to pull an image in kubernetes?
I have a private docker registry hosted on gitlab and I would like to use this repository to pull images for my local kubernetes cluster:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 68m
K8s is on v1.22.5 and is a single-node cluster that comes 'out of the box' with Docker Desktop. I have already built and deployed an image to the gitlab container registry registry.gitlab.com. What I have done already:
- Executed the command
docker login -u <username> -p <password> registry.gitlab.com - Modified the
~/.docker/config.jsonfile to the following:{ "auths": { "registry.gitlab.com": {} }, "credsStore": "osxkeychain" } - Created and deployed a secret to the cluster with the file:
apiVersion: v1 kind: Secret metadata: name: registry-key data: .dockerconfigjson: <base-64-encoded-.config.json-file> type: kubernetes.io/dockerconfigjson - Deployed an app with the following file:
apiVersion: apps/v1 kind: Deployment metadata: name: test-deployment labels: app: test-app spec: replicas: 1 selector: matchLabels: app: test-app template: metadata: labels: app: test-app spec: imagePullSecrets: - name: registry-key containers: - name: test-app image: registry.gitlab.com/<image-name>:latest imagePullPolicy: Always ports: - containerPort: 80
The deployment is created successfully but upon inspection of the pod (kubectl describe pod) I find the following events:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 21s default-scheduler Successfully assigned default/test-deployment-87b5747b5-xdsl9 to docker-desktop
Normal BackOff 19s kubelet Back-off pulling image "registry.gitlab.com/<image-name>:latest"
Warning Failed 19s kubelet Error: ImagePullBackOff
Normal Pulling 7s (x2 over 20s) kubelet Pulling image "registry.gitlab.com/<image-name>:latest"
Warning Failed 7s (x2 over 19s) kubelet Failed to pull image "registry.gitlab.com/<image-name>:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://registry.gitlab.com/v2/<image-name>/manifests/latest": denied: access forbidden
Warning Failed 7s (x2 over 19s) kubelet Error: ErrImagePull
Please provide any information that might be causing these errors.
Upvotes: 5
Views: 16360
Answers (3)
Reputation: 192
Sorry for rolling this out again so late, but I keep getting the
Error: ErrImagePull
with additional info from kubectl describe pod that says failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden.
I tried the answers aboth and they do not lead to a working state. :(
Pushing to GitLab Registry after the build works. I tried different personal access tokens with different rights assigned to, but I keep getting this error...
Upvotes: 1
Reputation: 131
I managed to solve the issue by editing the default config.json produced by $ docker login:
{
"auths": {
"registry.gitlab.com": {}
},
"credsStore": "osxkeychain"
}
becomes
{
"auths": {
"registry.gitlab.com": {
"auth":"<access-token-in-plain-text>"
}
}
}
Thanks Bala for suggesting this in the comments. I realise storing the access token in plain text in the file may not be secure but this can be changed to use a path if needed.
I also created the secret as per OzzieFZI's suggestion:
$ kubectl create secret docker-registry registry-key \
--docker-server=registry.gitlab.com \
--docker-username=<username> \
--docker-password="$(cat /path/to/token.txt)"
Upvotes: 6
Reputation: 112
What password do you use?
Confirm if you are using a Personal Access Token with read/write access to the container registry. Your username should be the gitlab username. I would suggest creating the docker registry secret using kubectl and a txt file with the token as the content, this way you do not have to encode the dockerconfigjson yourself. Here is an example.
$ kubectl create secret docker-registry registry-key \
--docker-server=registry.gitlab.com \
--docker-username=<username> \
--docker-password="$(cat /path/to/token.txt)"
See documentation on the command here
Upvotes: 3
Related Questions
- Pulling an Image from Private Registry in Kubernetes cronjob fails
- Unable to pull image from the Gitlab container registry
- Error configuring Kubernetes to extract an image from a private registry
- Kubernetes can't pull private image from docker
- Pulling images from private registry in Kubernetes
- Is there a way to use container registry images in dockerfiles?
- How to pull from private project's image registry using GitLab managed Kubernetes clusters
- Cannot pull image from remote Gitlab registry to Kubernetes
- Pushing Docker image from gitlab-ci to Azure Container Registry
- Pulling container image from GitLab private registry fails after upgrading to Kubernetes v1.6