Referring to Kubernetes Docker registry secrets with namespaces

Question

What I have

I have used Kube secrets for private Docker registry authentication in the default namespace. That works as expected. For example:

$ kubectl get secret regsecret
NAME        TYPE                             DATA      AGE
regsecret   kubernetes.io/dockerconfigjson   1         30m

Which is referenced in my deployment.yml as shown in the snippet below:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  template:
    ...
    spec:
      containers:
      - name:  bootstrap-nginx
        image: quay.io/example/nginx:latest
      ...
      imagePullSecrets:
      - name: regsecret

Here's my question

I need to create the regsecret above in a namepsace, for example, myns as shown below:

$ kubectl get secret regsecret --namespace=myns
NAME        TYPE                             DATA      AGE
regsecret   kubernetes.io/dockerconfigjson   1         30m

With this, how do I reference regsecret from myns namespace into my deployment spec? If I use imagePullSecrets as shown above, it fails saying that Kubernetes could not pull the image (the secret regsecret could not be found). Is there a way to reference "fully qualified" secret name in imagePullSecrets?

Answer 1

By design, there is no way to accomplish this. You will need to create the regsecret in the same namespace where your Deployment is.

ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored.

See also: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod