How to pass image pull secret while using 'kubectl run' command?

10/27/2016

I am trying to use kubectl run command to pull an image from private registry and run a command from that. But I don't see an option to specify image pull secret. It looks like it is not possible to pass image secret as part for run command.

Is there any alternate option to pull a container and run a command using kubectl? The command output should be seen on the console. Also once the command finishes the pod should die.

-- noorul
kubectl
kubernetes

6 Answers

3/31/2020

Please try the following command:

kubectl run nginx--image=nginx --overrides='{"apiVersion": "apps/v1", 
"spec": {"template":{"spec":{"imagePullSecrets": [{"name": "secret-name"}]}}}}'
-- Thulasya
Source: StackOverflow

11/17/2016

You could create the docker-registry secret as described at @MarkO'Connor's link, then add it to the default ServiceAccount. It's the SA that acts on the behalf of pods, including pulling their images.

From Adding ImagePullSecrets to a service account:

$ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● --docker-email=jdoe@example.com
secret "myregistrykey" created

$ kubectl get serviceaccounts default -o yaml > ./sa.yaml

$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  resourceVersion: "243024"
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge

$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "imagePullSecret:"]

$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets:
- name: myregistrykey

$ kubectl replace serviceaccount default -f ./sa.yaml

Now, any new pods created in the current namespace will have this added to their spec:

spec:
  imagePullSecrets:
  - name: myregistrykey
-- mgoodness
Source: StackOverflow

11/7/2017

You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:

--overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "your-secret"}] } }'

for example

kubectl run -i -t hello-world --restart=Never --rm=true \ --image=eu.gcr.io/your-registry/hello-world \ --overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } }'

-- Elmar Weber
Source: StackOverflow

11/26/2018

On Windows, you can do patch, but as it shows a JSON error, you have to do this trick (using PowerShell):

> $imgsec=  '{"imagePullSecrets": [{"name": "myregistrykey"}]}' | ConvertTo-Json
> kubectl patch serviceaccount default -p $imgsec

Also , if you want to update/ append imagePullSecret , then you should be using something like this :

> $imgsec=  '[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"myregistrykey2"}}]' | ConvertTo-Json

> kubectl patch serviceaccount default --type='json' -p  $imgsec

.

-- Paras Patidar
Source: StackOverflow

11/18/2016

As far as I know you cannot, but you can use kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }' , but this is not very different from what you can do with kubectl create -f mypod.json

What I think you're after is not a Pod but a Job, for example, if you need to populate a database, you can create a container that does that, and run it as a job instead of a pod or replica set.

Kubectl run ... creates deploymentorjob` objects. Jobs finish when the pod execution terminates and you can check the logs.

Take a look here and here for the termination

-- Ivan Pedrazas
Source: StackOverflow

1/31/2020

Usually when you need kubectl it's because you're testing something temporary, in a namespace that already has the docker registry secret to access the private registry. So the simplest is to edit the default service account to give it the pull secret to use when a pull secret is not present (which will be the case for kubectl run):

kubectl edit serviceaccount default

The edit will show something similar to this:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-04-16T14:48:17Z"
  name: default
  namespace: integration-testing
  resourceVersion: "60516585"
  selfLink: /api/v1/namespaces/integration-testing/serviceaccounts/default
  uid: ab7b767d-6056-11e9-bba8-0ecf3bdac4a0
secrets:
- name: default-token-4nnk4

Just append an imagePullSecrets:

imagePullSecrets:
- name: <name-of-your-docker-registry-password-secret>

so it will look like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-04-16T14:48:17Z"
  name: default
  namespace: integration-testing
  resourceVersion: "60516585"
  selfLink: /api/v1/namespaces/integration-testing/serviceaccounts/default
  uid: ab7b767d-6056-11e9-bba8-0ecf3bdac4a0
secrets:
- name: default-token-4nnk4
imagePullSecrets:
- name: <name-of-your-docker-registry-password-secret>

Say name is YOUR_PWD_SECRET, then this secret must exist in the kubectl context's namespace:

tooluser:/host $ kubectl get secret YOUR_PWD_SECRET
NAME              TYPE                             DATA   AGE
YOUR_PWD_SECRET   kubernetes.io/dockerconfigjson   1      186d

If it doesn't exist you must create it, either from scratch or copy it from another namespace (best way to do that is answer by NicoKowe at https://stackoverflow.com/a/58235551/869951).

With a secret holding your docker registry password, the secret in the same namespace where the kubectl run will execute, and with a default service account that lists the secret as imagePullSecrets, the kubectl run will work.

-- Oliver
Source: StackOverflow