ASTRO

Black abstract texture

Pull an Image from a Private Registry

Views: 1,704

[Refer To] https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Kubernetes

This page shows how to create a Pod that uses a Secret to pull an image from a private container image registry or repository. There are many private registries in use. This task uses Docker Hub as an example registry.

Log in to Docker Hub

First log in to you private registry with:

Bash
docker login

View the config.json file:

Bash
cat ~/.docker/config.json

You should see output contains a section similar to this:

Bash
{
    "auths": {
        "https://your.private.registry.example.com/": {
            "auth": "s9a...Ou1"
        }
    }
}

Create a Secret based on existing credentials

A Kubernetes cluster uses the Secret of kubernetes.io/dockerconfigjson type to authenticate with a container registry to pull a private image.

If you already ran docker login, you can copy that credential into Kubernetes:

Bash
kubectl create secret generic regcred \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

NOTE: By default, the secrets are stored under default namespace. if you want to use the secrets for other namespaces, you should first switch namespace, and then you can use the above command to create secret.

TIP: You can use kubectl delete secret <secret-name> if you want to delete the existing secret.

Create a Secret by providing credentials on the command line

Create this Secret, naming it regcred

Bash
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

Inspecting the Secret regcred

Bash
kubectl get secret regcred --output=yaml

The output is similar to this:

Bash
apiVersion: v1
kind: Secret
metadata:
  ...
  name: regcred
  ...
data:
  .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
type: kubernetes.io/dockerconfigjson

The value of the .dockerconfigjson field is a base64 representation of your Docker credentials.

To understand what is in the .dockerconfigjson field, convert the secret data to a readable format:

Bash
kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

The output is similar to this:

JSON
{"auths":{"your.private.registry.example.com":{"username":"user","password":"xxxxxxxxxxx","email":"[email protected]","auth":"s9a...Ou1"}}}

To understand what is in the auth field, convert the base64-encoded data to a readable format:

Bash
echo "s9a...Ou1" | base64 --decode

The output, username and password concatenated with a :, is similar to this:

Bash
user:xxxxxxxxxxx

Notice that the Secret data contains the authorization token similar to your local ~/.docker/config.json file.

You have successfully set your Docker credentials as a Secret called regcred in the cluster.

, ,
🥳 – Read More – 😎