How to pass image pull secret while using 'kubectl run' command?

Question

I am trying to use kubectl run command to pull an image from private registry and run a command from that. But I don\'t see an option to specify image pull secret. It looks

Answer 1

As far as I know you cannot, but you can use kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }' , but this is not very different from what you can do with kubectl create -f mypod.json

What I think you're after is not a Pod but a Job, for example, if you need to populate a database, you can create a container that does that, and run it as a job instead of a pod or replica set.

Kubectl run ... creates deploymentorjob` objects. Jobs finish when the pod execution terminates and you can check the logs.

Take a look here and here for the termination

Answer 2

Usually when you need kubectl it's because you're testing something temporary, in a namespace that already has the docker registry secret to access the private registry. So the simplest is to edit the default service account to give it the pull secret to use when a pull secret is not present (which will be the case for kubectl run):

kubectl edit serviceaccount default

The edit will show something similar to this:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-04-16T14:48:17Z"
  name: default
  namespace: integration-testing
  resourceVersion: "60516585"
  selfLink: /api/v1/namespaces/integration-testing/serviceaccounts/default
  uid: ab7b767d-6056-11e9-bba8-0ecf3bdac4a0
secrets:
- name: default-token-4nnk4

Just append an imagePullSecrets:

imagePullSecrets:
- name: <name-of-your-docker-registry-password-secret>

so it will look like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2019-04-16T14:48:17Z"
  name: default
  namespace: integration-testing
  resourceVersion: "60516585"
  selfLink: /api/v1/namespaces/integration-testing/serviceaccounts/default
  uid: ab7b767d-6056-11e9-bba8-0ecf3bdac4a0
secrets:
- name: default-token-4nnk4
imagePullSecrets:
- name: <name-of-your-docker-registry-password-secret>

Say name is YOUR_PWD_SECRET, then this secret must exist in the kubectl context's namespace:

tooluser:/host $ kubectl get secret YOUR_PWD_SECRET
NAME              TYPE                             DATA   AGE
YOUR_PWD_SECRET   kubernetes.io/dockerconfigjson   1      186d

If it doesn't exist you must create it, either from scratch or copy it from another namespace (best way to do that is answer by NicoKowe at https://stackoverflow.com/a/58235551/869951).

With a secret holding your docker registry password, the secret in the same namespace where the kubectl run will execute, and with a default service account that lists the secret as imagePullSecrets, the kubectl run will work.

Answer 3

I have reslove the problem by kubectl run nginx--image=nginx --overrides='{"apiVersion": "apps/v1", "spec": {"template":{"spec":{"imagePullSecrets": [{"name": "secret-name"}]}}}}'

Answer 4

Please try the following command:

kubectl run nginx--image=nginx --overrides='{"apiVersion": "apps/v1", 
"spec": {"template":{"spec":{"imagePullSecrets": [{"name": "secret-name"}]}}}}'

Answer 5

You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:

--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'

for example

kubectl run -i -t hello-world --rm --generator=run-pod/v1 \
--image=eu.gcr.io/your-registry/hello-world \
--image-pull-policy="IfNotPresent" \
--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'

Answer 6

On Windows, you can do patch, but as it shows a JSON error, you have to do this trick (using PowerShell):

> $imgsec=  '{"imagePullSecrets": [{"name": "myregistrykey"}]}' | ConvertTo-Json
> kubectl patch serviceaccount default -p $imgsec

Also , if you want to update/ append imagePullSecret , then you should be using something like this :

> $imgsec=  '[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"myregistrykey2"}}]' | ConvertTo-Json

> kubectl patch serviceaccount default --type='json' -p  $imgsec

.