发表新帖
发表新帖

Automatically use secret when pulling from private registry

前端 未结
关注
2 562
渐次进展
渐次进展 2021-01-01 23:34

Is it possible to globally (or at least per namespace), configure kubernetes to always use an image pull secret when connecting to a private repo? There are two use cases:

2条回答
  • 挽巷
    挽巷 (楼主)
    2021-01-01 23:47

    As far as I know, usually the default serviceAccount is responsible for pulling the images. To easily add imagePullSecrets to a serviceAccount you can use the patch command:

    kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "mySecret"}]}'

    It's possible to use kubectl patch in a script that inserts imagePullSecrets on serviceAccounts across all namespaces.

    If it´s too complicated to manage multiple namespaces you can have look at kubernetes-replicator, which syncs resources between namespaces.

    Solution 2:
    This section of the doc explains how you can set the private registry on a node basis:

    Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:

    1. Run docker login [server] for each set of credentials you want to use. This updates $HOME/.docker/config.json.
    2. View $HOME/.docker/config.json in an editor to ensure it contains just the credentials you want to use.

    3. Get a list of your nodes, for example:

      • If you want the names:
        nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')

      • If you want to get the IPs:
        nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')

    4. Copy your local .docker/config.json to one of the search paths list above. for example:

      for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done

    Solution 3:
    A (very dirty!) way I discovered to not need to set up an imagePullSecret on a deployment / serviceAccount basis is to:

    1. Set ImagePullPolicy: IfNotPresent
    2. Pulling the image in each node
      2.1. manually using docker pull myrepo/image:tag.
      2.2. using a script or a tool like docker-puller to automate that process.

    Well, I think I don't need to explain how ugly is that.

    PS: If it helps, I found an issue on kubernetes/kops about the feature of creating a global configuration for private registry.

    0 讨论(0)
 看不清?
提交回复
热议问题