K8S: How to Create Pull Secrets
Prerequisites:
Before you see how to perform the above two steps, ensure you have the following prerequisites:
- Access to a container registry.
- The kubectl command-line tool configured to communicate with your cluster using your cluster’s KUBECONFIG configuration file.
in Kubernetes, a node’s Kubelet and container runtime manage the containerized workloads. The Kubelet ensures containers are running and communicates with the container runtime how those containers should run.
When you create a deployment, the Kubelet reads the PodSpec (a YAML or JSON object that describes a Pod) and then instructs the container runtime using the CRI (Container Runtime Interface) to spin up containers to satisfy that spec.
The container runtime pulls the image from the specified container registry and runs it. If you don’t specify a container registry hostname, Kubernetes will assume the image is in the Default Docker Registry.
Create the Secret
via kubectl
To create the Secret, in your terminal window, run the following command:
$ kubectl create secret docker-registry <secret_name> \
--docker-server='<your_registry_url>' \
--docker-username='<your_registry_username>' \
--docker-password='<your_registry_auth_password>' \
--docker-email='<your_email_address>'
-n <namespace>
In the above command:
<secret_name>
will be the Secret name of your choice, for example, registry-secret. You will use the name when referring to the Secret in your resource manifest file.<your_registry_url>
will be the URL to your container Registry. In most cases, it will include the region it is hosted in. For example, if your container registry is Amazon ECR, your registry URL will take the following form: <aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com.<your_registry_username>
will be your username when accessing the container registry.<your_registry_auth_password>
will be the password to your username.<your_email_address>
will be your email address.<namespace>
- kubernetes namespace were secret will be created
via resource file
- To create the kuberntes secret resource
secret.yaml
, in your terminal window, run the following command:
$ kubectl create secret docker-registry <secret_name> \
--docker-server='<your_registry_url>' \
--docker-username='<your_registry_username>' \
--docker-password='<your_registry_auth_password>' \
--docker-email='<your_email_address>' \
-n <namespace> \
--dry-run=client \
-o yaml > secret.yaml
- You will get secret.yaml with encoded in base64 content
## secret.yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJ5b3VewyX3JlZ2lzdHJ5X3VybCI6eyJ1c2VybmFtZSI6InlvdXJfcmVnaXN0cnlfdXNlcm5hbWUiLCJwYXNzd29yZCwewI6InlvdXJfcmVnaXN0cnlfYXV0aF9wYXNzd29yZCIsImVtYWlsIjoieW91cl9lbWFpbF9hZGRyZXNzIiwiYXV0fdjbDl5WldkcGMzUnllVjkxYzJWeWJtRnRaVHA1YjNWeVgzSmxaMmx6ZEhKNVgyRjFkR2hmY0dGemMzZHZjbVE9In19fQ==
kind: Secret
metadata:
creationTimestamp: null
name: regcred
namespace: namespace
type: kubernetes.io/dockerconfigjson
- Create secret in kubernetes
$ kubectl apply -f secret.yaml
Update Kubernetes deployment by pull secret
Add pull secrets into .spec.template.spec
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 1
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: nginx
spec:
imagePullSecrets: # Put there
- name: regcred
containers:
- name: iam
image: my-registry/nginx:latest
imagePullPolicy: Always
...