K
Q

ErrImagePull when pulling from azr registry

2/16/2018

I'm trying to run kubernetes using minikube. I have some docker images in n azure container registry.

I created a secret like this:

kubectl create secret docker-registry private-repo-secret --docker-server=myregistry.azurecr.io --docker-username=myusername --docker-password=mypassword --docker-email=myemail@mydomain.com

And I can see it's there:

$ kubectl get secret         
NAME                  TYPE                                  DATA      AGE
default-token-x5xxh   kubernetes.io/service-account-token   3         17m
private-repo-secret   kubernetes.io/dockercfg               1         4m

And in my pods:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: frontend
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: frontend
    spec:
      containers:
      - name: frontend
        image: myregistry.azurecr.io/myproject/frontend:0.0.5
      imagePullSecrets:
        - name: private-repo-secret

Then why I get an ErrImagePull saying that the authentication is required?

EDIT: Those credentials are correct and they work locally. I've used one of the 2 pasword obtained with az acr credential show -n myregistry. The only difference is that in my local json I just have the auth property, not username, password and email.

If I describe one of my pods I get:

  Warning  Failed                 5m (x4 over 6m)   kubelet, ip-172-20-49-180.eu-central-1.compute.internal  Failed to pull image "myregistry.azurecr.io/myproject/frontend:0.0.5": rpc error: code = Unknown desc = Error response from daemon: Get https://myregistry.azurecr.io/v2/myproject/frontend/manifests/0.0.5: unauthorized: authentication required
  Normal   BackOff                5m (x6 over 6m)   kubelet, ip-172-20-49-180.eu-central-1.compute.internal  Back-off pulling image "myregistry.azurecr.io/myproject/frontend:0.0.5"
  Warning  FailedSync             1m (x25 over 6m)  kubelet, ip-172-20-49-180.eu-central-1.compute.internal  Error syncing pod

kubectl version:

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T21:07:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:23:29Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
-- andrew
azure
docker
kubernetes
minikube

Similar Questions

Adding more disk space to Kubernetes Jenkins slave
Private registry with Kubernetes
I can't load a Helm chart into IBM Cloud Private
How to verify kubernetes service load balancer init (call-back not polling)

4 Answers

7/29/2018

You may create the secret with;

kubectl create secret docker-registry YOUR_SECRET_NAME --docker-server=REGISTRY_LOGIN_SERVER --docker-username=USERNAME --docker-password=PASSWORD --docker-email=VALID_EMAIL

(You can check the USERNAME and PASSWORD for your docker registry with the command

az acr credential show --name YOUR_REGISTRY_NAME

)

Then you refer created secret name in kubernets resource spec. eg.

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: some_deployment
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: some_deployment
    spec:
      containers:
      - name: some_image
        image: REGISTRY_NAME.azurecr.io/repository:tag
        .
        .
        .
        imagePullSecrets:
        - name: YOUR_SECRET_NAME
--
Source: StackOverflow
2/17/2018

well, this looks right, the only problem there could be wrong user\password, typo in the acr name or somewhere else. You can check those values by using:

kubectl get secrets/private-repo-secret -o yaml
echo "string from data/.dockerconfigjson" | base64 --decode

or you could simply delete both and create the from scratch

-- 4c74356b41
Source: StackOverflow
2/17/2018

I solved by creating a secret from this yaml file:

apiVersion: v1  
kind: Secret    
metadata:   
  name: private-repo-secret 
data:   
  .dockerconfigjson: <~/.docker/config.json encoded base64> 
type: kubernetes.io/dockerconfigjson
-- andrew
Source: StackOverflow
2/17/2018

First, use following command to login into your docker registry.

$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.

This will generate a config file.

$ ls -la ~/.docker/config.json
/home/shahriar/.docker/config.json

Now, use this this command to create secret.

kubectl create secret generic my-secret-name --type=kubernetes.io/dockerconfigjson --from-file .dockerconfigjson=/home/shahriar/.docker/config.json

Your Secret will look like this

apiVersion: v1
data:
  .dockerconfigjson: ewoJImF1dGh...l9Cn0=
kind: Secret
metadata:
  creationTimestamp: 2018-02-17T10:06:56Z
  name: my-secret-name
  namespace: default
  resourceVersion: "269"
  selfLink: /api/v1/namespaces/default/secrets/my-secret-name
  uid: 48f9f398-13ca-11e8-89c4-0800276cd577
type: kubernetes.io/dockerconfigjson

And the .dockerconfigjson will look like this

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "YWVyb2tp..XRlMDMzIw=="
        }
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/17.11.0-ce (linux)"
    }
}
-- Mir Shahriar Sabuj
Source: StackOverflow