kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Pull image private cleanup (#6609) 

* cleanup and clarify doc on imagePullSecrets task

* rename regsecret to regcred to reduce stuttering
reviewable/pr7455/r1
Tony Li 2018-02-20 12:54:38 -05:00 committed by k8s-ci-robot
parent a06de688fc
commit 62002d3073
1 changed files with 26 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
docs/tasks/configure-pod-container/pull-image-private-registry.md
View File

@ -22,12 +22,13 @@ private Docker registry or repository.
## Log in to Docker
On your laptop, you must authenticate with a registry in order to pull a private image:
docker login
When prompted, enter your Docker username and password.
The login process creates or updates a `config.json` file that holds an
authorization token.
The login process creates or updates a `config.json` file that holds an authorization token.
View the `config.json` file:
@ -46,11 +47,13 @@ The output contains a section similar to this:
**Note:** If you use a Docker credentials store, you won't see that `auth` entry but a `credsStore` entry with the name of the store as value.
{: .note}
## Create a Secret that holds your authorization token
## Create a Secret in the cluster that holds your authorization token
Create a Secret named `regsecret`:
A Kubernetes cluster uses the Secret of `docker-registry` type to authenticate with a container registry to pull a private image.
kubectl create secret docker-registry regsecret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
Create this Secret, naming it `regcred`:
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
where:
@ -59,12 +62,13 @@ where:
* `<your-pword>` is your Docker password.
* `<your-email>` is your Docker email.
## Understanding your Secret
You have successfully set your Docker credentials in the cluster as a Secret called `regcred`.
To understand what's in the Secret you just created, start by viewing the
Secret in YAML format:
## Inspecting the Secret `regcred`
kubectl get secret regsecret --output=yaml
To understand the contents of the `regcred` Secret you just created, start by viewing the Secret in YAML format:
kubectl get secret regcred --output=yaml
The output is similar to this:
@ -74,31 +78,28 @@ The output is similar to this:
kind: Secret
metadata:
...
name: regsecret
name: regcred
...
type: kubernetes.io/dockerconfigjson
The value of the `.dockerconfigjson` field is a base64 representation of your secret data.
Copy the base64 representation of the secret data into a file named `secret64`.
**Important**: Make sure there are no line breaks in your `secret64` file.
The value of the `.dockerconfigjson` field is a base64 representation of your Docker credentials.
To understand what is in the `.dockerconfigjson` field, convert the secret data to a
readable format:
base64 -d secret64
kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d
The output is similar to this:
{"auths":{"yourprivateregistry.com":{"username":"janedoe","password":"xxxxxxxxxxx","email":"jdoe@example.com","auth":"c3R...zE2"}}}
Notice that the secret data contains the authorization token from your
`config.json` file.
Notice that the Secret data contains the authorization token similar to your local `~/.docker/config.json` file.
You have successfully set your Docker credentials as a Secret called `regcred` in the cluster.
## Create a Pod that uses your Secret
Here is a configuration file for a Pod that needs access to your secret data:
Here is a configuration file for a Pod that needs access to your Docker credentials in `regcred`:
{% include code.html language="yaml" file="private-reg-pod.yaml" ghlink="/docs/tasks/configure-pod-container/private-reg-pod.yaml" %}
@ -106,17 +107,12 @@ Download the above file:
wget -O my-private-reg-pod.yaml https://k8s.io/docs/tasks/configure-pod-container/private-reg-pod.yaml
In file `my-private-reg-pod.yaml`, replace `<your-private-image>` with the
path to an image in a private repository.
Example Docker Hub private image:
In file `my-private-reg-pod.yaml`, replace `<your-private-image>` with the path to an image in a private registry such as:
janedoe/jdoe-private:v1
To pull the image from the private repository, Kubernetes needs credentials. The
`imagePullSecrets` field in the configuration file specifies that Kubernetes
should get the credentials from a Secret named
`regsecret`.
To pull the image from the private registry, Kubernetes needs credentials.
The `imagePullSecrets` field in the configuration file specifies that Kubernetes should get the credentials from a Secret named `regcred`.
Create a Pod that uses your Secret, and verify that the Pod is running:
@ -128,12 +124,10 @@ Create a Pod that uses your Secret, and verify that the Pod is running:
{% capture whatsnext %}
* Learn more about [Secrets](/docs/concepts/configuration/secret/).
* Learn more about
[using a private registry](/docs/concepts/containers/images/#using-a-private-registry).
* Learn more about [using a private registry](/docs/concepts/containers/images/#using-a-private-registry).
* See [kubectl create secret docker-registry](/docs/user-guide/kubectl/{{page.version}}/#-em-secret-docker-registry-em-).
* See [Secret](/docs/api-reference/{{page.version}}/#secret-v1-core)
* See the `imagePullSecrets` field of
[PodSpec](/docs/api-reference/{{page.version}}/#podspec-v1-core).
* See [Secret](/docs/api-reference/{{page.version}}/#secret-v1-core).
* See the `imagePullSecrets` field of [PodSpec](/docs/api-reference/{{page.version}}/#podspec-v1-core).
{% endcapture %}