Edit This Page

Pull an Image from a Private Registry

This page shows how to create a Pod that uses a Secret to pull an image from a private Docker registry or repository.

• Before you begin
• Log in to Docker
• Create a Secret that holds your authorization token
• Understanding your Secret
• Create a Pod that uses your Secret
• What’s next

Before you begin

• You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:

• Katacoda
• Play with Kubernetes

To check the version, enter kubectl version.

• To do this exercise, you need a Docker ID and password.

Log in to Docker

docker login

When prompted, enter your Docker username and password.

The login process creates or updates a config.json file that holds an authorization token.

View the config.json file:

cat ~/.docker/config.json

The output contains a section similar to this:

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"
        }
    }
}

Note: If you use a Docker credentials store, you won’t see that auth entry but a credsStore entry with the name of the store as value.

Create a Secret that holds your authorization token

Create a Secret named regsecret:

kubectl create secret docker-registry regsecret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

where:

• <your-registry-server> is your Private Docker Registry FQDN.
• <your-name> is your Docker username.
• <your-pword> is your Docker password.
• <your-email> is your Docker email.

Understanding your Secret

To understand what’s in the Secret you just created, start by viewing the Secret in YAML format:

kubectl get secret regsecret --output=yaml

The output is similar to this:

apiVersion: v1
data:
  .dockercfg: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
kind: Secret
metadata:
  ...
  name: regsecret
  ...
type: kubernetes.io/dockercfg

The value of the .dockercfg field is a base64 representation of your secret data.

Copy the base64 representation of the secret data into a file named secret64.

Important: Make sure there are no line breaks in your secret64 file.

To understand what is in the .dockercfg field, convert the secret data to a readable format:

base64 -d secret64

The output is similar to this:

{"yourprivateregistry.com":{"username":"janedoe","password":"xxxxxxxxxxx","email":"jdoe@example.com","auth":"c3R...zE2"}}

Notice that the secret data contains the authorization token from your config.json file.

Create a Pod that uses your Secret

Here is a configuration file for a Pod that needs access to your secret data:

private-reg-pod.yaml
apiVersion: v1 kind: Pod metadata: name: private-reg spec: containers: - name: private-reg-container image: <your-private-image> imagePullSecrets: - name: regsecret

Download the above file:

wget -O my-private-reg-pod.yaml https://k8s.io/docs/tasks/configure-pod-container/private-reg-pod.yaml

In file my-private-reg-pod.yaml, replace <your-private-image> with the path to an image in a private repository.

Example Docker Hub private image:

janedoe/jdoe-private:v1

To pull the image from the private repository, Kubernetes needs credentials. The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regsecret.

Create a Pod that uses your Secret, and verify that the Pod is running:

kubectl create -f my-private-reg-pod.yaml
kubectl get pod private-reg

What’s next

• Learn more about Secrets.
• Learn more about using a private registry.
• See kubectl create secret docker-registry.
• See Secret
• See the imagePullSecrets field of PodSpec.