Pull an Image from a Private Registry
This page shows how to create a Pod that uses a Secret to pull an image from a private container image registry or repository. There are many private registries in use. This task uses as an example registry.
Before you begin
-
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
-
To do this exercise, you need the
dockercommand line tool, and a -
If you are using a different private container registry, you need the command line tool for that registry and any login information for the registry.
Log in to Docker Hub
On your laptop, you must authenticate with a registry in order to pull a private image.
Use the When prompted, enter your Docker ID, and then the credential you want to use (access token,
or the password for your Docker ID). The login process creates or updates a View the The output contains a section similar to this: A Kubernetes cluster uses the Secret of If you already ran If you need more control (for example, to set a namespace or a label on the new
secret) then you can customise the Secret before storing it.
Be sure to: Example: If you get the error message Create this Secret, naming it where: You have successfully set your Docker credentials in the cluster as a Secret called To understand the contents of the The output is similar to this: The value of the To understand what is in the The output is similar to this: To understand what is in the The output, username and password concatenated with a Notice that the Secret data contains the authorization token similar to your local You have successfully set your Docker credentials as a Secret called Here is a manifest for an example Pod that needs access to your Docker credentials in Download the above file onto your computer: In file To pull the image from the private registry, Kubernetes needs credentials.
The Create a Pod that uses your Secret, and verify that the Pod is running:docker tool to log in to Docker Hub. See the log in section of
docker login
config.json file that holds an authorization token. Review how Kubernetes interprets this file.config.json file:cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "c3R...zE2"
}
}
}
auth entry but a credsStore entry with the name of the store as value.
Create a Secret based on existing credentials
kubernetes.io/dockerconfigjson type to authenticate with
a container registry to pull a private image.docker login, you can copy
that credential into Kubernetes:kubectl create secret generic regcred \
--from-file=.dockerconfigjson=<path/to/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson
.dockerconfigjsondata[".dockerconfigjson"]type to kubernetes.io/dockerconfigjsonapiVersion: v1
kind: Secret
metadata:
name: myregistrykey
namespace: awesomeapps
data:
.dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZXlzCg==
type: kubernetes.io/dockerconfigjson
error: no objects passed to create, it may mean the base64 encoded string is invalid.
If you get an error message like Secret "myregistrykey" is invalid: data[.dockerconfigjson]: invalid value ..., it means
the base64 encoded string in the data was successfully decoded, but could not be parsed as a .docker/config.json file.Create a Secret by providing credentials on the command line
regcred:kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
<your-registry-server> is your Private Docker Registry FQDN.
Use https://index.docker.io/v1/ for DockerHub.<your-name> is your Docker username.<your-pword> is your Docker password.<your-email> is your Docker email.regcred.kubectl is running.
Inspecting the Secret
regcredregcred Secret you created, start by viewing the Secret in YAML format:kubectl get secret regcred --output=yaml
apiVersion: v1
kind: Secret
metadata:
...
name: regcred
...
data:
.dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
type: kubernetes.io/dockerconfigjson
.dockerconfigjson field is a base64 representation of your Docker credentials..dockerconfigjson field, convert the secret data to a
readable format:kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
{"auths":{"your.private.registry.example.com":{"username":"janedoe","password":"xxxxxxxxxxx","email":"jdoe@example.com","auth":"c3R...zE2"}}}
auth field, convert the base64-encoded data to a readable format:echo "c3R...zE2" | base64 --decode
:, is similar to this:janedoe:xxxxxxxxxxx
~/.docker/config.json file.regcred in the cluster.Create a Pod that uses your Secret
regcred:apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: <your-private-image>
imagePullSecrets:
- name: regcred
curl -L -O my-private-reg-pod.yaml https://k8s.io/examples/pods/private-reg-pod.yaml
my-private-reg-pod.yaml, replace <your-private-image> with the path to an image in a private registry such as:your.private.registry.example.com/janedoe/jdoe-private:v1
imagePullSecrets field in the configuration file specifies that
Kubernetes should get the credentials from a Secret named regcred.kubectl apply -f my-private-reg-pod.yaml
kubectl get pod private-reg
What's next
imagePullSecrets field within the container definitions of a Pod
