问题
I am trying to use kubectl run command to pull an image from private registry and run a command from that. But I don't see an option to specify image pull secret. It looks like it is not possible to pass image secret as part for run command.
Is there any alternate option to pull a container and run a command using kubectl? The command output should be seen on the console. Also once the command finishes the pod should die.
回答1:
You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:
--overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "your-secret"}] } }'
for example
kubectl run -i -t hello-world --restart=Never --rm=true \
--image=eu.gcr.io/your-registry/hello-world \
--overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } }'
回答2:
You could create the docker-registry secret as described at @MarkO'Connor's link, then add it to the default ServiceAccount. It's the SA that acts on the behalf of pods, including pulling their images.
From Adding ImagePullSecrets to a service account:
$ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● --docker-email=jdoe@example.com
secret "myregistrykey" created
$ kubectl get serviceaccounts default -o yaml > ./sa.yaml
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
resourceVersion: "243024"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "imagePullSecret:"]
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets:
- name: myregistrykey
$ kubectl replace serviceaccount default -f ./sa.yaml
Now, any new pods created in the current namespace will have this added to their spec:
spec:
imagePullSecrets:
- name: myregistrykey
回答3:
On Windows, you can do patch, but as it shows a JSON error, you have to do this trick (using PowerShell):
> $imgsec= '{"imagePullSecrets": [{"name": "myregistrykey"}]}' | ConvertTo-Json
> kubectl patch serviceaccount default -p $imgsec
Also , if you want to update/ append imagePullSecret , then you should be using something like this :
> $imgsec= '[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"myregistrykey2"}}]' | ConvertTo-Json
> kubectl patch serviceaccount default --type='json' -p $imgsec
.
回答4:
As far as I know you cannot, but you can use kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }'
, but this is not very different from what you can do with kubectl create -f mypod.json
What I think you're after is not a Pod but a Job, for example, if you need to populate a database, you can create a container that does that, and run it as a job instead of a pod or replica set.
Kubectl run ... creates deploymentorjob` objects. Jobs finish when the pod execution terminates and you can check the logs.
Take a look here and here for the termination
来源:https://stackoverflow.com/questions/40288077/how-to-pass-image-pull-secret-while-using-kubectl-run-command