I am trying to use kubectl run command to pull an image from private registry and run a command from that. But I don't see an option to specify image pull secret. It looks like it is not possible to pass image secret as part for run command.
Is there any alternate option to pull a container and run a command using kubectl? The command output should be seen on the console. Also once the command finishes the pod should die.
Create a Pod that uses your Secret To pull the image from the private registry, Kubernetes needs credentials. The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regcred .
An imagePullSecrets is an authorization token, also known as a secret, that stores Docker credentials that are used for accessing a registry. The imagePullSecrets can be used when installing software that requires entitlement.
kubectl run − Run command has the capability to run an image on the Kubernetes cluster. kubectl scale − It will scale the size of Kubernetes Deployments, ReplicaSet, Replication Controller, or job. kubectl set image − It updates the image of a pod template.
You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:
--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'
for example
kubectl run -i -t hello-world --rm --generator=run-pod/v1 \ --image=eu.gcr.io/your-registry/hello-world \ --image-pull-policy="IfNotPresent" \ --overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'
You could create the docker-registry
secret as described at @MarkO'Connor's link, then add it to the default ServiceAccount. It's the SA that acts on the behalf of pods, including pulling their images.
From Adding ImagePullSecrets to a service account:
$ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● [email protected] secret "myregistrykey" created $ kubectl get serviceaccounts default -o yaml > ./sa.yaml $ cat sa.yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2015-08-07T22:02:39Z name: default namespace: default resourceVersion: "243024" selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 secrets: - name: default-token-uudge $ vi sa.yaml [editor session not shown] [delete line with key "resourceVersion"] [add lines with "imagePullSecret:"] $ cat sa.yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2015-08-07T22:02:39Z name: default namespace: default selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 secrets: - name: default-token-uudge imagePullSecrets: - name: myregistrykey $ kubectl replace serviceaccount default -f ./sa.yaml
Now, any new pods created in the current namespace will have this added to their spec:
spec: imagePullSecrets: - name: myregistrykey
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With