K
Q

How can I determine whether Kubernetes is using authentication for a image repository?

9/17/2020

I'm trying to investigate why a pod has a status of ImagePullBackOff.

If kubectl describe the pod I see an event listed :

Warning Failed 5m42s (x4 over 7m2s) kubelet Failed to pull image "**": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

This is not expected as I docker authentication set for the default service account - via a secret as mentioned here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-image-pull-secret-to-service-account

How can I determine whether it's using the correct authentication so I can further debug this issue?

-- Chris Stryczynski
kubernetes

Similar Questions

Backend service port ignored in traefik on kubernetes
How to find out if a K8s job failed or succeeded using kubectl?
Automatically reusing persistent volume including data
For a GKE Kubernetes Cluster w/Alias what will a custom Secondary Range Name default to?
How to make Helm install to use 'kubectl apply' instead of 'kubectl create'

1 Answer

9/17/2020

Not really an answer to the question but a solution in my case:

Seems there is something wrong with the kubectl patch serviceaccount default -p '{"imagepullsecrets": [{"name": "gcp-cr-read-access"}]}' as it does not seem to do anything...

Instead I edited the service account resource directly - no patch...

Demonstarted here:

root@docker-ubuntu-s-1vcpu-1gb-lon1-01:~/multitenant-manager# kubectl patch serviceaccount default -p '{"imagepullsecrets": [{"name": "gcp-cr-read-access"}]}'
serviceaccount/default patched (no change)
root@docker-ubuntu-s-1vcpu-1gb-lon1-01:~/multitenant-manager# kubectl describe serviceaccount default
Name:                default
Namespace:           app-1
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-tqp58
Tokens:              default-token-tqp58
Events:              <none>
root@docker-ubuntu-s-1vcpu-1gb-lon1-01:~/multitenant-manager# kubectl get serviceaccount -o yaml
apiVersion: v1
items:
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    creationTimestamp: "2020-09-17T15:50:34Z"
    name: default
    namespace: app-1
    resourceVersion: "111538"
    selfLink: /api/v1/namespaces/app-1/serviceaccounts/default
    uid: 5fe21574-67bf-485c-b9aa-d09c1fe3350c
  secrets:
  - name: default-token-tqp58
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
root@docker-ubuntu-s-1vcpu-1gb-lon1-01:~/multitenant-manager# kubectl patch -n app-1 serviceaccount default -p '{"imagepullsecrets": [{"name": "gcp-cr-read-access"}]}'
serviceaccount/default patched (no change)
-- Chris Stryczynski
Source: StackOverflow