K
Q

Does Kubernetes kubelet support Docker Credential Stores for private registries?

4/26/2018

Docker has a mechanism for retrieving Docker registry passwords from a remote store, instead of just storing them in a config file - this mechanism is called a Credentials Store. It has a similar mechanism that are used to retrieve a password for a specific registry called Credential Helpers.

Basically, it involves defining a value in ~/.docker/config.json that is interpreted as the name of an executable.

{
    "credsStore": "osxkeychain"
}

The value of the credsStore key has a prefix docker-credential- pre-pended to it and if that executable (e.g. docker-credential-osxkeychain) exists on the path then it will be executed and is expected to echo the username and password to stdout, which Docker will use to log in to a private registry. The idea is that the executable reaches out to a store and retrieves your password for you, so you don't have to have lots of files laying around in your cluster with your username/password encoded in them.

I can't get a Kubernetes kubelet to make use of this credential store. It seems to just ignore it and when Kubernetes attempts to download from a private registry I get a "no basic auth credentials" error. If I just have a config.json with the username / password in it then kubelet works ok.

Does Kubernetes support Docker credential stores/credential helpers and if so, how do I get them to work?

For reference, kubelet is running through systemd, the credential store executable is on the path and the config.json file is being read.

-- John
docker
kubelet
kubernetes

Similar Questions

Kubernetes creating a deployment but it's never available
RemoteDisconnected Error when using requests.patch on Eve endpoint
KUBERNETES AWSElasticBlockStore PersistentVolume: NoCredentialProviders: no valid providers in chain
How can I access the pod when it become CrashLoopBackOff?
Elasticsearch/kibana Logs export via raw log format
Use SCRAM-SHA-512 authentication with SSL on LoadBalancer in Strimzi Kafka
Fluentd forwarder DaemonSet has wrong logs format

2 Answers

4/27/2018

Yes, Kubernetes has the same mechanism called secrets but with extended functionality, and it includes specific secret type called docker-registry. You can create your specific secret with credentials for docker registry:

$ kubectl create secret docker-registry myregistrykey \
 --docker-server=DOCKER_REGISTRY_SERVER \
 --docker-username=DOCKER_USER \
 --docker-password=DOCKER_PASSWORD \
 --docker-email=DOCKER_EMAIL

secret "myregistrykey" created.

and use it:

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey
-- Nick Rak
Source: StackOverflow
3/28/2019

As of the moment of writing Kubernetes v1.14 does not support credential helpers as per official docs Configuring Nodes to Authenticate to a Private Registry

Note: Kubernetes as of now only supports the auths and HttpHeaders section of docker config. This means credential helpers (credHelpers or credsStore) are not supported.

-- kasur
Source: StackOverflow