问题
Is it possible to globally (or at least per namespace), configure kubernetes to always use an image pull secret when connecting to a private repo? There are two use cases:
- when a user specifies a container in our private registry in a deployment
- when a user points a Helm chart at our private repo (and so we have no control over the image pull secret tag).
I know it is possible to do this on a service account basis but without writing a controller to add this to every new service account created it would get a bit of a mess.
Is there are way to set this globally so if kube tries to pull from registry X it uses secret Y?
Thanks
回答1:
As far as I know, usually the default serviceAccount is responsible for pulling the images. To easily add imagePullSecrets to a serviceAccount you can use the patch command:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "mySecret"}]}'
It's possible to use kubectl patch in a script that inserts imagePullSecrets on serviceAccounts across all namespaces.
If it´s too complicated to manage multiple namespaces you can have look at kubernetes-replicator, which syncs resources between namespaces.
Solution 2:
This section of the doc explains how you can set the private registry on a node basis:
Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:
- Run
docker login [server]for each set of credentials you want to use. This updates$HOME/.docker/config.json.- View
$HOME/.docker/config.jsonin an editor to ensure it contains just the credentials you want to use.Get a list of your nodes, for example:
If you want the names:
nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')If you want to get the IPs:
nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')Copy your local .docker/config.json to one of the search paths list above. for example:
for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done
Solution 3:
A (very dirty!) way I discovered to not need to set up an imagePullSecret on a deployment / serviceAccount basis is to:
- Set ImagePullPolicy: IfNotPresent
- Pulling the image in each node
2.1. manually usingdocker pull myrepo/image:tag.
2.2. using a script or a tool like docker-puller to automate that process.
Well, I think I don't need to explain how ugly is that.
PS: If it helps, I found an issue on kubernetes/kops about the feature of creating a global configuration for private registry.
回答2:
Two simple questions, where are you running your k8s cluster? Where is your registry located? Here there are a few approaches to your issue: https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry
来源:https://stackoverflow.com/questions/55223075/automatically-use-secret-when-pulling-from-private-registry