What I have
I have used Kube secrets for private Docker registry authentication in the default
namespace. That works as expected. For example:
$ kubectl get secret regsecret
NAME TYPE DATA AGE
regsecret kubernetes.io/dockerconfigjson 1 30m
Which is referenced in my deployment.yml
as shown in the snippet below:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
template:
...
spec:
containers:
- name: bootstrap-nginx
image: quay.io/example/nginx:latest
...
imagePullSecrets:
- name: regsecret
Here's my question
I need to create the regsecret
above in a namepsace
, for example, myns
as shown below:
$ kubectl get secret regsecret --namespace=myns
NAME TYPE DATA AGE
regsecret kubernetes.io/dockerconfigjson 1 30m
With this, how do I reference regsecret
from myns
namespace into my deployment spec? If I use imagePullSecrets
as shown above, it fails saying that Kubernetes could not pull the image (the secret regsecret
could not be found). Is there a way to reference "fully qualified" secret name in imagePullSecrets
?
Secrets are namespaced objects, that is, exist in the context of a specific namespace. You can access them via a volume or an environment variable from a container running in a pod.
Create a Secret by providing credentials on the command line <your-registry-server> is your Private Docker Registry FQDN. Use https://index.docker.io/v1/ for DockerHub. <your-name> is your Docker username. <your-pword> is your Docker password.
Kubernetes Secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with API access can retrieve or modify a Secret, and so can anyone with access to etcd.
By design, there is no way to accomplish this. You will need to create the regsecret
in the same namespace where your Deployment is.
ImagePullSecrets
is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored.
See also: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With