Using Private Registries with Kubernetes

Deploying private container images

09 Dec 2023

ยท

Kubernetes devops

Table of contents

While the public docker registry provides a overwhelming amount of publicly-accessible images, you will likely want to deploy a private or customized image at some point. Depending on what you want

Creating an auth secret from a previous Docker login

If you have previously logged your local device into the docker registry with docker login, you can reuse this configuration directly without doing any changes. The login information is stored in the file ~/.docker/config.json, which you can use to create the authentication secret:

kubectl create secret generic regcred \
--from-file=.dockerconfigjson=<path/to/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson

This creates a Secret called regcred that you can use to pull private images. Be aware that this file contains all logins to registries you have authenticated to.

Creating an auth secret from kubectl

As an alternative to reusing a local docker login config file, you can create an authentication secret for a container registry directly from kubernetes using kubectl:

kubectl create secret docker-registry regcred \
--docker-server=<your-registry-server> \
--docker-username=<your-username> \
--docker-password=<your-password> \
--docker-email=<your-email>

This approach should also have created a Secret named regcred.

Checking the authentication secret

To ensure the previous steps worked properly, you can inspect the secret and ensure the data is correct:

kubectl describe secret regcred

Should produce output similar to this:

Name:        regcred
Namespace:   default
Labels:      <none>
Annotations: <none>

Type: kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson: 135 bytes

To check if the login information is correct, you can use print a decoded JSON version of it:

kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Deploying an image from a private registry

Now that authentication has been set up, a Pod can use the regcred Secret to authenticate by supplying it's name under the imagePullSecrets yaml key:

apiVersion: v1
kind: Pod
metadata:
  name: my-private-pod
spec:
  containers:
  - name: my-private-container
    image: <my-private-image>
  imagePullSecrets:
  - name: regcred

The regcred Secret can be reused for any number of pods and images. If you need multiple logins to different (or even the same) container registry, make sure to change the names accordingly to prevent conflicts.

More articles

Setting up Longhorn for Persistent Kubernetes Volumes

Setting up Longhorn for Persistent Kubernetes Volumes

Enabling highly-available storage

Installing ingress-nginx on K3S

Installing ingress-nginx on K3S

Setting up the default ingress controller

Passing by Reference in PHP

Passing by Reference in PHP

Sharing variables instead of their values

The downsides of source-available software licenses

The downsides of source-available software licenses

And how it differs from real open-source licenses

Configure linux debian to boot into a fullscreen application

Configure linux debian to boot into a fullscreen application

Running kiosk-mode applications with confidence

How to use ansible with vagrant environments

How to use ansible with vagrant environments

Painlessly connect vagrant infrastructure and ansible playbooks