Pull images from private repositories | Kubernetes
Ready to begin
- You must have a Kubernetes cluster, and you must configure the kubectl command line tool to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not control plane hosts.
- You can build your own cluster via Minikube, or you can use one of the following Kubernetes practice environments:
- Killercoda
- Playing with Kubernetes
- To perform this exercise, you need the
docker
command line tool and a Docker ID that you know the password for. - If you want to use a different private image repository, you need the command line tool and login information for the corresponding image repository.
Log in to the Docker image warehouse
On a personal computer, you must authenticate on the mirror repository in order to pull a private image.
Use the docker
command tool to log in to Docker Hub. Check out the log in section of Docker ID accounts for more details.
docker login # or docker login <harbor warehouse address> -u <username> -p <password> #eg docker login https://k8s-harbor.com/harbor/project
When prompted, enter your
Docker ID
and Login credentials
(access token or password for your Docker ID).
The login process creates or updates the config.json
file that holds the authorization token. See how Kubernetes parses this file.
View the config.json
file:
cat ~/.docker/config.json
Example output:
{ "auths": { "https://index.docker.io/v1/": { "auth": "c3R...zE2" } } } # use [root@rpp-vm00 ~]# cat ~/.docker/config.json { "auths": { "k8s-harbor.com": { "auth": "cm9ib3QkcGVybWlzc2lvbl9wcm8rcHJvcm9ib3Q6ZTlwTVNhNTNmWjA4MUU4dFZJV1hJM3BtUmlveVhUNXo=" } } }
Description:
When using the Docker credential repository, you will not see
auth
entry, you will see the warehouse name as the value
credsStore
entry. At this point, you can create the Secret directly. See
Provide the credentials on the command line to create the secret.
Pull image configuration from Harbor non-public warehouse
Create a private image warehouse in Harbor, configure the relevant robot account, obtain the username and password of the robot account, and then configure it in Step 4
or Step 5
.
3.1 Create a private project repository
3.2 Create a robot account
Create a robot account and set permissions and associated projects.
3.3 Create an internal robot account for the project
In addition to creating a global robot account, you can also create a robot account within the project. This robot account is only valid for this project:
3.4 Save robot account access credentials
Regardless of whether the robot account is created in chapter 5.2
or 5.3
, the access credentials of the account will pop up after the creation is completed. Examples of the content are as follows:
Among them, name
is the user name, and the password is secret
:
{ "creation_time":"2023-10-30T03:50:21.260Z", "expires_at":-1, "id":4, "name":"robot$permission_pro + prorobot", // username "secret":"e9pMSa53fZ081E8tVIWXI3pmRioyXT5z" // Password }
Method 1: Creategeneric
based on existing credentials Secret
Kubernetes uses the kubernetes.io/dockerconfigjson
type of Secret to authenticate the image warehouse and pull the image.
Run the previous docker login
command and copy the credentials in ~/.docker/config.json
to Kubernetes:
kubectl create secret generic regcred \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson
More settings (for example, setting a namespace or label for a new Secret) can be customized. But it must:
- Set the name in the data item to
.dockerconfigjson
- Encode the Docker configuration file using base64 encoding and paste the contents of that string as the value of the field
data[".dockerconfigjson"]
- Set
type
tokubernetes.io/dockerconfigjson
Example:
apiVersion: v1 Kind: Secret metadata: name: myregistrykey namespace: awesomeapps data: .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl 5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZX lzCg== type: kubernetes.io/dockerconfigjson
If you receive the error message: error: no objects passed to create
, this probably means that the base64-encoded string is invalid. If you receive an error message like Secret "myregistrykey" is invalid:
data[.dockerconfigjson]: invalid value ...
then it means The base64 encoded string in the data was successfully decoded, but could not be parsed into a .docker/config.json
file.
(use) Method 2: Create docker-registry
type Secret through the command line
Create a Secret named regcred
:
kubectl create secret docker-registry regcred \ --docker-server=<your image repository server> \ --docker-username=<your username> \ --docker-password=<your password> \ --docker-email=<your email address> # use '$' is a special character and needs to be escaped with '' kubectl create secret docker-registry k8s-harbor-secret \ --docker-server=https://k8s-harbor.com \ --docker-username="robot\$permission_pro + prorobot" \ --docker-password="e9pMSa53fZ081E8tVIWXI3pmRioyXT5z" \ [email protected] ========================= Reference======================== === kubectl edit secret/k8s-harbor-secret kubectl get secret k8s-harbor-secret --output=yaml kubectl delete secret k8s-harbor-secret kubectl get secret kubectl get secret k8s-harbor-secret \ --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
Parameter explanation:
The fully qualified domain name (FQDN) of your private Docker repository. DockerHub useshttps://index.docker.io/v1/
.
Docker username.
Docker password.
Docker email.
Description:
On the command line type
Secret
may be stored in the shell history without protection, and these Secret information may also be stored in the shell history.
Visible to other users on the PC whilekubectl
is running.
Check Secret
View the regcred created above in YAML format:
kubectl get secret regcred --output=yaml # use kubectl get secret k8s-harbor-secret --output=yaml
The output is similar to the following:
apiVersion: v1 Kind: Secret metadata: ... name:regcred ... data: .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0= type: kubernetes.io/dockerconfigjson
The value of the .dockerconfigjson
field is the base64 representation of the Docker credentials.
Convert Secret data to readable format:
kubectl get secret regcred \ --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode # use kubectl get secret k8s-harbor-secret \ --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
The output is similar to the following:
{ "auths":{ "your.private.registry.example.com": { "username":"janedoe", "password":"xxxxxxxxxxx", "email":"[email protected]", "auth":"c3R...zE2" } } }
View the contents of the auth
field and decode the base64-encoded data:
echo "c3R...zE2" | base64 --decode
In the output, the username and password are linked with :
, similar to the following:
janedoe:xxxxxxxxxxx
Note that the Secret data contains the authorization token similar to the local ~/.docker/config.json
file.
Create a Pod that applies Secret
Here is an example pod configuration manifest where the pod accesses Docker credentials regcred
:
pods/private-reg-pod.yaml
apiVersion: v1 Kind: Pod metadata: name: private-reg spec: containers: - name: private-reg-container image: <your-private-image> # Mirror path of private warehouse imagePullSecrets: # Get credentials from Secret - name: regcred
download file:
curl -L -o my-private-reg-pod.yaml https://k8s.io/examples/pods/private-reg-pod.yaml
The imagePullSecrets
field configures the credentials of the warehouse image. regcred
obtains credentials from the Secret named regcred
.
Create a Pod and check if it is running normally:
kubectl apply -f my-private-reg-pod.yaml kubectl get pod private-reg
Description:
To use an image to pull Secrets for a Pod (or Deployment, or other object with a Pod template), you need to ensure that the appropriate Secret actually exists in the correct namespace. The namespace
used when defining the Pod is used.
Additionally, if the Pod fails to start with status ImagePullBackOff
, view the Pod events:
kubectl describe pod private-reg
If the error FailedToRetrieveImagePullSecret
is reported, it means that Kubernetes cannot find the Secret
with the relevant name (regcred
in this example).
Make sure the Secret exists and its name is spelled correctly. The following is an example of an error:
Events: ... Reason ... Message ------ ------- ... FailedToRetrieveImagePullSecret ... Unable to retrieve some image pull secrets (<regcred>); attempting to pull the image may not succeed.
Create a Deployment that applies Secret
Deployment
configuration manifest example, Deployment
access Docker credentials regcred
:
apiVersion: apps/v1 # Version kind: Deployment # type metadata: # Deployment metadata name: springboot-docker2-dp # Deployment name namespace: my-namespace-100 labels: # label app: springboot-docker2-pod # Selector, used to match the label of the Pod to ensure that the Pod belongs to the Deployment spec: # Pod information replicas: 3 # Number of replicas of Pod selector: # Tag selector matchLabels: # Selector, used to match the labels of the Pod to ensure that the Pod belongs to the Deployment app: springboot-docker2-pod # app=springboot-docker2 template: # Pod template information, create Pod based on template information metadata: # Pod metadata labels: # The label of the Pod, matches the label in the Selector to ensure that the Pod belongs to the Deployment app: springboot-docker2-pod # Tag app=springboot-docker2 spec: # Container information containers: # container - name: springboot-docker2 # Container name image: k8s-harbor.com/permission_pro/spring-boot-docker2:0.0.1-SNAPSHOT ports: # port - containerPort: 8600 # The port exposed by the container name: business-port - containerPort: 8800 name: actuator-port imagePullSecrets: # Get credentials from Secret - name: k8s-harbor-secret
View running status:
vi springboot-docker2-dp-secret-svc-ingress.yml kubectl apply -f springboot-docker2-dp-secret-svc-ingress.yml kubectl delete -f springboot-docker2-dp-secret-svc-ingress.yml kubectl getpod kubectl describe pod springboot-docker2-dp-697ccf7c7c-7zntd scp -r 192.168.31.55:/etc/docker/certs.d/k8s-harbor.com /etc/containerd/certs.d/ crictl pull k8s-harbor.com/permission_pro/spring-boot-docker2:0.0.1-SNAPSHOT docker pull k8s-harbor.com/permission_pro/spring-boot-docker2:0.0.1-SNAPSHOT scp 192.168.31.151:/usr/local/ssl/{server.crt,server.key,myCA.cer} . scp 192.168.31.151:/usr/local/ssl/{myCA.crt,server.cert} . insecure_skip_verify = false $. systemctl restart containerd $.systemctl status containerd kubectl get deploy kubectl get deploy springboot-docker2-dp kubectl get pod private-reg