K8s to pull private image from Github container registry (ghcr) using GITHUB_TOKEN

Question

Is it possible to pull private images in Github Container Registry using GITHUB_TOKEN?

If so, what do I need to configure in k8s?

Thanks!

Answer 1

Yes you can. You will have to create a secret object in your cluster.

kubectl create secret docker-registry ghcr-login-secret --docker-server=https://ghcr.io --docker-username=$YOUR_GITHUB_USERNAME --docker-password=$YOUR_GITHUB_TOKEN --docker-email=$YOUR_EMAIL

Note: Your credentials will become part of shell history, so be careful and remove the shell history afterwards.

This will internally create a dockerconfig.json with your provided values and generate a secret that will be used to authenticate with your registry.

You can then proceed to specify in your Pod specification that you are using a private registry and pass this secret as:

...
imagePullSecrets:
  - name: ghcr-login-secret
...

You can read more about external registry interfacing with Kubernetes here.

Answer 2

Ok, I've a better understanding of GITHUB_TOKEN.

GITHUB_TOKEN is for github internal usage for Actions etc generate docker image and push into github container registry.

In order for k8s to pull the image from github, we have to generate PAT which then to put added in k8s's secret.