Using Private Registries with Kubernetes

Table of contents

While the public docker registry provides a overwhelming amount of publicly-accessible images, you will likely want to deploy a private or customized image at some point. Depending on what you want

Creating an auth secret from a previous Docker login

If you have previously logged your local device into the docker registry with docker login, you can reuse this configuration directly without doing any changes. The login information is stored in the file ~/.docker/config.json, which you can use to create the authentication secret:

kubectl create secret generic regcred \
--from-file=.dockerconfigjson=<path/to/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson

This creates a Secret called regcred that you can use to pull private images. Be aware that this file contains all logins to registries you have authenticated to.

Creating an auth secret from kubectl

As an alternative to reusing a local docker login config file, you can create an authentication secret for a container registry directly from kubernetes using kubectl:

kubectl create secret docker-registry regcred \
--docker-server=<your-registry-server> \
--docker-username=<your-username> \
--docker-password=<your-password> \
--docker-email=<your-email>

This approach should also have created a Secret named regcred.

Checking the authentication secret

To ensure the previous steps worked properly, you can inspect the secret and ensure the data is correct:

kubectl describe secret regcred

Should produce output similar to this:

Name:        regcred
Namespace:   default
Labels:      <none>
Annotations: <none>

Type: kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson: 135 bytes

To check if the login information is correct, you can use print a decoded JSON version of it:

kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Deploying an image from a private registry

Now that authentication has been set up, a Pod can use the regcred Secret to authenticate by supplying it's name under the imagePullSecrets yaml key:

apiVersion: v1
kind: Pod
metadata:
  name: my-private-pod
spec:
  containers:
  - name: my-private-container
    image: <my-private-image>
  imagePullSecrets:
  - name: regcred

The regcred Secret can be reused for any number of pods and images. If you need multiple logins to different (or even the same) container registry, make sure to change the names accordingly to prevent conflicts.

More articles

Installing ingress-nginx on K3S

Setting up the default ingress controller

Passing by Reference in PHP

Sharing variables instead of their values

Dealing with pagination queries in SQL

The difficult choice behind chunking results into simple pages

Understanding postgres query plans

Making sense of postgres explanations

Fixing mixed content issues

Fixing holes in encrypted web traffic