kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Task configure sa: 'Add image pull secrets to a service account' section improvment proposal

pull/21043/head
Sylvain COULOMBEL 2020-05-18 23:27:25 +02:00
parent 4473aab54f
commit 9ea75a8149
1 changed files with 34 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
content/en/docs/tasks/configure-pod-container/configure-service-account.md
View File

@ -183,27 +183,38 @@ The content of `token` is elided here.
## Add ImagePullSecrets to a service account ## Add ImagePullSecrets to a service account
First, create an imagePullSecret, as described [here](/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod). ### Create an imagePullSecret
Next, verify it has been created. For example:
```shell - Create an imagePullSecret, as described in [Specifying ImagePullSecrets on a Pod](/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod).
kubectl get secrets myregistrykey
```
The output is similar to this: ```shell
kubectl create secret docker-registry myregistrykey --docker-server=DUMMY_SERVER \
--docker-username=DUMMY_USERNAME --docker-password=DUMMY_DOCKER_PASSWORD \
--docker-email=DUMMY_DOCKER_EMAIL
```
``` - Verify it has been created.
NAME TYPE DATA AGE ```shell
myregistrykey   kubernetes.io/.dockerconfigjson   1       1d kubectl get secrets myregistrykey
``` ```
The output is similar to this:
```
NAME TYPE DATA AGE
myregistrykey   kubernetes.io/.dockerconfigjson   1       1d
```
### Add image pull secret to service account
Next, modify the default service account for the namespace to use this secret as an imagePullSecret. Next, modify the default service account for the namespace to use this secret as an imagePullSecret.
```shell ```shell
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}' kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'
``` ```
Interactive version requires manual edit: You can instead use `kubectl edit`, or manually edit the YAML manifests as shown below:
```shell ```shell
kubectl get serviceaccounts default -o yaml > ./sa.yaml kubectl get serviceaccounts default -o yaml > ./sa.yaml
@ -248,12 +259,19 @@ Finally replace the serviceaccount with the new updated `sa.yaml` file
kubectl replace serviceaccount default -f ./sa.yaml kubectl replace serviceaccount default -f ./sa.yaml
``` ```
Now, any new pods created in the current namespace will have this added to their spec: ### Verify imagePullSecrets was added to pod spec
```yaml Now, when a new Pod is created in the current namespace and using the default ServiceAccount, the new Pod has its `spec.imagePullSecrets` field set automatically:
spec:
imagePullSecrets: ````shell
- name: myregistrykey kubectl run nginx --image=nginx --restart=Never
kubectl get pod nginx -o=jsonpath='{.spec.imagePullSecrets[0].name}'
````
The output is:
```shell
myregistrykey
``` ```
<!--## Adding Secrets to a service account. <!--## Adding Secrets to a service account.