Automatically use secret when pulling from private registry

3/18/2019

Is it possible to globally (or at least per namespace), configure kubernetes to always use an image pull secret when connecting to a private repo? There are two use cases:

  1. when a user specifies a container in our private registry in a deployment
  2. when a user points a Helm chart at our private repo (and so we have no control over the image pull secret tag).

I know it is possible to do this on a service account basis but without writing a controller to add this to every new service account created it would get a bit of a mess.

Is there are way to set this globally so if kube tries to pull from registry X it uses secret Y?

Thanks

-- apr_1985
artifactory
kubernetes
kubernetes-helm

2 Answers

3/18/2019

Two simple questions, where are you running your k8s cluster? Where is your registry located? Here there are a few approaches to your issue: https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry

-- Leandro Donizetti Soares
Source: StackOverflow

3/18/2019

As far as I know, usually the default serviceAccount is responsible for pulling the images. To easily add imagePullSecrets to a serviceAccount you can use the patch command:

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "mySecret"}]}'

It's possible to use kubectl patch in a script that inserts imagePullSecrets on serviceAccounts across all namespaces.

If it´s too complicated to manage multiple namespaces you can have look at kubernetes-replicator, which syncs resources between namespaces.

Solution 2:
This section of the doc explains how you can set the private registry on a node basis:

Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:

  1. Run docker login [server] for each set of credentials you want to use. This updates $HOME/.docker/config.json.
  2. View $HOME/.docker/config.json in an editor to ensure it contains just the credentials you want to use.
  3. Get a list of your nodes, for example:

    • If you want the names:
      nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')

    • If you want to get the IPs:
      nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')

  4. Copy your local .docker/config.json to one of the search paths list above. for example:

    for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done

Solution 3:
A (very dirty!) way I discovered to not need to set up an imagePullSecret on a deployment / serviceAccount basis is to:

  1. Set ImagePullPolicy: IfNotPresent
  2. Pulling the image in each node
    2.1. manually using docker pull myrepo/image:tag.
    2.2. using a script or a tool like docker-puller to automate that process.

Well, I think I don't need to explain how ugly is that.

PS: If it helps, I found an issue on kubernetes/kops about the feature of creating a global configuration for private registry.

-- victortv
Source: StackOverflow