This page shows how to create a Pod that uses a Secret to pull an image from a private Docker registry or repository.

Before you begin

  • You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using​​Minikube​​, or you can use one of these Kubernetes playgrounds:
  • ​Katacoda​
  • ​Play with Kubernetes​

To check the version, enter ​​kubectl version​​.

Log in to Docker

On your laptop, you must authenticate with a registry in order to pull a private image:

docker login

When prompted, enter your Docker username and password.

The login process creates or updates a ​​config.json​​View the ​​config.json​

cat ~/.docker/config.json

The output contains a section similar to this:

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"
        }
    }
}

Note: If you use a Docker credentials store, you won’t see that  auth entry but a  credsStore

Create a Secret in the cluster that holds your authorization token

A Kubernetes cluster uses the Secret of ​​docker-registry​​Create this Secret, naming it ​​regcred​​:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

where:

​<your-registry-server>​

​<your-name>​​​​<your-pword>​​​​<your-email>​​You have successfully set your Docker credentials in the cluster as a Secret called ​​regcred​​.

Inspecting the Secret regcred

To understand the contents of the ​​regcred​

kubectl get secret regcred --output=yaml

The output is similar to this:

apiVersion: v1
data:
  .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
kind: Secret
metadata:
  ...
  name: regcred
  ...
type: kubernetes.io/dockerconfigjson

The value of the ​​.dockerconfigjson​​To understand what is in the ​​.dockerconfigjson​

kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d

The output is similar to this:

{"auths":{"yourprivateregistry.com":{"username":"janedoe","password":"xxxxxxxxxxx","email":"jdoe@example.com","auth":"c3R...zE2"}}}

To understand what is in the ​​auth​

echo "c3R...zE2" | base64 -d

The output, username and password concatenated with a ​​:​​, is similar to this:

janedoe:xxxxxxxxxxx

Notice that the Secret data contains the authorization token similar to your local ​​~/.docker/config.json​​You have successfully set your Docker credentials as a Secret called ​​regcred​

Create a Pod that uses your Secret

Here is a configuration file for a Pod that needs access to your Docker credentials in ​​regcred​​:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: regcred

Download the above file:

wget -O my-private-reg-pod.yaml https://k8s.io/docs/tasks/configure-pod-container/private-reg-pod.yaml

In file ​​my-private-reg-pod.yaml​​, replace ​​<your-private-image>​

janedoe/jdoe-private:v1

To pull the image from the private registry, Kubernetes needs credentials. The ​​imagePullSecrets​​ field in the configuration file specifies that Kubernetes should get the credentials from a Secret named ​​regcred​​.

Create a Pod that uses your Secret, and verify that the Pod is running:

kubectl create -f my-private-reg-pod.yaml
kubectl get pod private-reg