Are multiple imagePullSecrets allowed and used by Kubernetes to pull an image from a private registry?

Question

I have a private registry (gitlab) where my docker images are stored. For deployment a secret is created that allows GKE to access the registry. The secret is called deploy-secret. The secret's login information expires after short time in the registry.

I additionally created a second, permanent secret that allows access to the docker registry, named permanent-secret.

Is it possible to specify the Pod with two secrets? For example:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: deploy-secret
  - name: permanent-secret

Will Kubernetes, when trying to re-pull the image later, recognize that the first secret does not work (does not allow authentication to the private registry) and then fallback successfully to the second secret?

Answer 1

Surprisingly this works! I just tried this on my cluster. I added a fake registry credentials secret, with the wrong values. I put both secrets in my yaml like you did (below) and the pods got created and container is created and running successfully:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
  labels:
    app: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      nodeSelector:
      containers:
      - image: gitlab.myapp.com/my-image:tag
        name: test
        ports:
        - containerPort: 80
      imagePullSecrets:
      - name: regcred-test
      - name: regcred

The regcred secret has the correct values and the regcred-test is just a bunch of gibberish. So we can see that it ignores the incorrect secret.