I want to run my application that is hosted in a private container registry on a Kubernetes cluster. I followed the instructions here and created a secret like this:
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-pword> \
--docker-email=<your-email>which is used in my deployment like this:
containers:
- image: registry.gitlab.com/xxxxx/xxxx
name: dockerdemo
resources: {}
imagePullSecrets:
- name: regcredK8s is now able to pull the image from my private registry. Anyhow I don't feel comfortable that my user and password are stored in plain text in the cluster. Is there a better/more secure way to give the K8s cluster access to the registry maybe by a token?
Hence I am using Gitlab the solution for me know is not to store my user credentials in Kubernetes. Instead I am using a Deploy Token that can be removed any time and that only has access to the container registry.
The following steps are necessary here:
read_registrykubectl create secret docker-registry regcred --docker-server=registry.gitlab.com --docker-username=<token_username> --docker-password=<token>Thank you @Jonas for your links but this solution is what I was looking for.
Anyhow I don't feel comfortable that my user and password are stored in plain text in the cluster. Is there a better/more secure way to give the K8s cluster access to the registry maybe by a token?
See Encrypting Secret Data at Rest for how to ensure that your Secrets is encrypted in etcd.
Alternatively you can consider to use Vault to store secrets. See e.g. How Monzo bank security team handle secrets