K
Q

K8s Image Pull from Private Artifactory

2/1/2021

I am using below manifest to run some k8s Job, However i am not able to submit job successfully due to below error.

apiVersion: batch/v1
kind: Job
metadata:
  name: spark-on-eks
spec:
  template:
    spec:
      imagePullSecrets:
      - name: mycreds
      containers:
        - name: spark
          image: repo:buildversion
          command:  
            - "/bin/sh"
            - "-c"
            - '/opt/spark/bin/spark-submit \
            --master k8s://EKSEndpoint \
            --deploy-mode cluster \
            --name spark-luluapp \
            --class com.ll.jsonclass \
            --conf spark.jars.ivy=/tmp/.ivy \
            --conf spark.kubernetes.container.image=repo:buildversion \
            --conf spark.kubernetes.namespace=spark-pi \
            --conf spark.kubernetes.authenticate.driver.serviceAccountName=spark-sa \
            --conf spark.hadoop.fs.s3a.impl=org.apache.hadoop.fs.s3a.S3AFileSystem \
            --conf spark.kubernetes.authenticate.executor.serviceAccountName=spark-sa \
            --conf spark.kubernetes.driver.pod.name=spark-job-driver \
            --conf spark.executor.instances=4 \
            local:///opt/spark/examples/App-buildversion-SNAPSHOT.jar \
            [mks,env,reg,"dd.mm.yyyy","true","off","db-comp-results","true","XX","XXX","XXXXX","XXX",$,###] '

      serviceAccountName: spark-pi
      restartPolicy: Never
  backoffLimit: 4

Error: Error: ImagePullBackOff Normal Pulling Pulling image "repo/buildversion" Warning Failed Failed to pull image "repo/buildversion": rpc error: code = Unknown desc = Error response from daemon: unauthorized: The client does not have permission for manifest

i checked the secrets which i have listed, is already created and in use with already deployed applications.

Is this issue is related to init containers which are being used as secret injection for pods/jobs, or something i am missing in my manifest, also, i am running above step as apart of Auotmation on one of the Jenkins Slave, and it works fine for other application-pods ( Not sure of k8s jobs )

-- Zester07
apache-spark
artifactory
containers
kubernetes
kubernetes-secrets

Similar Questions

0/1 nodes are available 1 node(s) had diskpressure
echo container image:tag (URI) in kubernetes readinessProbe or livenessProbe
How Does Dynamic Service Discovery Work When Using Docker Compose Or Kubernetes?
Not able to access app deployed on kubernetes cluster
Kubernetes pod recreation

1 Answer

2/1/2021

Are you using port, docker path, or reverse proxy configuration in Artifactory?

Validate first on another machine you can pull the image.

i.e. (docker path)

docker login ${ARTIFACTORY_URL}
docker pull ${ARTIFACTORY_URL}/repo/image:tag

I believe you may be using a reverse proxy config given the naming convention:

"repo:buildversion"

In this scenario you need to do a docker login to the repo:

docker login repo
docker push repo:buildversion

What this means for k8s is you likely used the wrong docker-server URL and this is why authentication won't work even with a valid API key.

If you are using reverse proxy try this:

kubectl create secret docker-registry mycred \
  --docker-server=repo \
  --docker-username=<your-name> \
  --docker-password=<your-api-key> \
  --docker-email=<your-email>
-- John Peterson
Source: StackOverflow