Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to pass image pull secret while using 'kubectl run' command?

I am trying to use kubectl run command to pull an image from private registry and run a command from that. But I don't see an option to specify image pull secret. It looks like it is not possible to pass image secret as part for run command.

Is there any alternate option to pull a container and run a command using kubectl? The command output should be seen on the console. Also once the command finishes the pod should die.

like image 924
noorul Avatar asked Oct 27 '16 15:10

noorul


People also ask

How do you specify image pull secret in Kubernetes?

Create a Pod that uses your Secret To pull the image from the private registry, Kubernetes needs credentials. The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regcred .

What is an image pull secret?

An imagePullSecrets is an authorization token, also known as a secret, that stores Docker credentials that are used for accessing a registry. The imagePullSecrets can be used when installing software that requires entitlement.

What does kubectl Run command do?

kubectl run − Run command has the capability to run an image on the Kubernetes cluster. kubectl scale − It will scale the size of Kubernetes Deployments, ReplicaSet, Replication Controller, or job. kubectl set image − It updates the image of a pod template.


2 Answers

You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:

--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'

for example

kubectl run -i -t hello-world --rm --generator=run-pod/v1 \ --image=eu.gcr.io/your-registry/hello-world \ --image-pull-policy="IfNotPresent" \ --overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }' 
like image 134
Elmar Weber Avatar answered Sep 19 '22 12:09

Elmar Weber


You could create the docker-registry secret as described at @MarkO'Connor's link, then add it to the default ServiceAccount. It's the SA that acts on the behalf of pods, including pulling their images.

From Adding ImagePullSecrets to a service account:

$ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● [email protected] secret "myregistrykey" created  $ kubectl get serviceaccounts default -o yaml > ./sa.yaml  $ cat sa.yaml apiVersion: v1 kind: ServiceAccount metadata:   creationTimestamp: 2015-08-07T22:02:39Z   name: default   namespace: default   resourceVersion: "243024"   selfLink: /api/v1/namespaces/default/serviceaccounts/default   uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 secrets: - name: default-token-uudge  $ vi sa.yaml [editor session not shown] [delete line with key "resourceVersion"] [add lines with "imagePullSecret:"]  $ cat sa.yaml apiVersion: v1 kind: ServiceAccount metadata:   creationTimestamp: 2015-08-07T22:02:39Z   name: default   namespace: default   selfLink: /api/v1/namespaces/default/serviceaccounts/default   uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 secrets: - name: default-token-uudge imagePullSecrets: - name: myregistrykey  $ kubectl replace serviceaccount default -f ./sa.yaml 

Now, any new pods created in the current namespace will have this added to their spec:

spec:   imagePullSecrets:   - name: myregistrykey 
like image 30
mgoodness Avatar answered Sep 21 '22 12:09

mgoodness