K8s Image Pull from Private Artifactory

2/1/2021

I am using below manifest to run some k8s Job, However i am not able to submit job successfully due to below error.

apiVersion: batch/v1
kind: Job
metadata:
  name: spark-on-eks
spec:
  template:
    spec:
      imagePullSecrets:
      - name: mycreds
      containers:
        - name: spark
          image: repo:buildversion
          command:  
            - "/bin/sh"
            - "-c"
            - '/opt/spark/bin/spark-submit \
            --master k8s://EKSEndpoint \
            --deploy-mode cluster \
            --name spark-luluapp \
            --class com.ll.jsonclass \
            --conf spark.jars.ivy=/tmp/.ivy \
            --conf spark.kubernetes.container.image=repo:buildversion \
            --conf spark.kubernetes.namespace=spark-pi \
            --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark-sa \
            --conf spark.hadoop.fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem \
            --conf spark.kubernetes.authenticate.executor.serviceAccountName=spark-sa \
            --conf spark.kubernetes.driver.pod.name=spark-job-driver \
            --conf spark.executor.instances=4 \
            local:///opt/spark/examples/App-buildversion-SNAPSHOT.jar \
            [mks,env,reg,"dd.mm.yyyy","true","off","db-comp-results","true","XX","XXX","XXXXX","XXX",$,###] '

      serviceAccountName: spark-pi
      restartPolicy: Never
  backoffLimit: 4

Error: Error: ImagePullBackOff Normal Pulling Pulling image "repo/buildversion" Warning Failed Failed to pull image "repo/buildversion": rpc error: code = Unknown desc = Error response from daemon: unauthorized: The client does not have permission for manifest

i checked the secrets which i have listed, is already created and in use with already deployed applications.

Is this issue is related to init containers which are being used as secret injection for pods/jobs, or something i am missing in my manifest, also, i am running above step as apart of Auotmation on one of the Jenkins Slave, and it works fine for other application-pods ( Not sure of k8s jobs )

-- Zester07
apache-spark
artifactory
containers
kubernetes
kubernetes-secrets

1 Answer

2/1/2021

Are you using port, docker path, or reverse proxy configuration in Artifactory?

Validate first on another machine you can pull the image.

i.e. (docker path)

docker login ${ARTIFACTORY_URL}
docker pull ${ARTIFACTORY_URL}/repo/image:tag

I believe you may be using a reverse proxy config given the naming convention:

"repo:buildversion"

In this scenario you need to do a docker login to the repo:

docker login repo
docker push repo:buildversion

What this means for k8s is you likely used the wrong docker-server URL and this is why authentication won't work even with a valid API key.

If you are using reverse proxy try this:

kubectl create secret docker-registry mycred \
  --docker-server=repo \
  --docker-username=<your-name> \
  --docker-password=<your-api-key> \
  --docker-email=<your-email>
-- John Peterson
Source: StackOverflow