Tech Made Simple

Using a private registry with kubernetes

kubernetes/images/authn/private registry/artifactory

1- Specifying ImagePullSecrets directly on the pod spec:

kubectl create secret docker-registry my-registry-cred \
--docker-server=[REGISTRY_URL] --docker-username=[REGISTRY_USERNAME] --docker-password=[REGISTRY_PASSWORD] --docker-email=[YOUR_EMAIL]
kubectl create secret generic my-registry-cred \
--from-file=.dockerconfigjson=<path/to/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: private
image: docker.io/raddaoui/private-image:latest
imagePullSecrets:
- name:
my-registry-cred
EOF

2- Specifying ImagePullSecrets on the service account used by the pod:

# create service account or use default
kubectl create sa my-sa
# add image pull secret to the service account
kubectl patch sa my-sa -p '{"imagePullSecrets": [{"name": "my-registry-cred"}]}'
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: my-sa
containers:
- name: private
image: docker.io/raddaoui/private-image:latest
EOF
kubectl get pod my-pod -o=jsonpath='{.spec.imagePullSecrets[0].name}{"\n"}'

3- Configuring the nodes with docker credentials:

kubectl create secret docker-registry my-registry-cred \
--docker-server=[REGISTRY_URL] --docker-username=[REGISTRY_USERNAME] --docker-password=[REGISTRY_PASSWORD] --docker-email=[YOUR_EMAIL] \
-n kube-system
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: image-registry-creds-ds
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: image-reg
template:
metadata:
labels:
k8s-app: image-reg
spec:
containers:
- name: reg-cred
image: busybox
command: [ 'sh' ]
args: [ '-c', 'cp /conf/.dockerconfigjson /var/lib/kubelet/config.json && exec tail -f /dev/null' ]
volumeMounts:
- name: kubelet-config
mountPath: /var/lib/kubelet
- name: reg-cred
mountPath: /conf/
priorityClassName: system-node-critical
volumes:
- name: kubelet-config
hostPath:
path: /var/lib/kubelet
- name: reg-cred
secret:
secretName: my-registry-cred
EOF
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: private
image: docker.io/raddaoui/private-image:latest
EOF

Additional patterns

Tech consultant, digital nomad and fan of everything open source, smart and cloud native.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store