How to integrate a private docker / container registry with Kubernetes cluster ?

This write up is about integrating a container registry with a Kubernetes cluster. The Kubernetes cluster can be a manually configured one or Amazon Elastic Kubernetes cluster (EKS) or Azure Kubernetes Service (AKS) or Google Kubernetes Engine (GKE). The approach that I am sharing here is a generic approach and this technique is applicable for any type of Kubernetes cluster. There are specific techniques of integration applicable to individual service provides using service principles and policies. We are not discussing the service principle or policy way of registry integration.

Here the approach is to create a secret in the Kubernetes cluster with the credentials of the container registry. This secret need to be created on the same namespace in which we are trying to deploy the application. The same secret can be registered with the same name in multiple namespaces of the same cluster.

Kubernetes Secrets is the best way of storing sensitive information such as passwords, tokens, ssh keys, registry credentials, SSL certificates, service account details etc.

Here I am explaining the way of storing docker registry credentials in Kubernetes Secrets.

The syntax of the command to create a secret for docker registry is given below.

kubectl create secret docker-registry <registry-name> --docker-server=<registry-server-url> --docker-username=<username> --docker-password=<password> -n <namespace>

An example is given below.

kubectl create secret docker-registry my-registry-secret --docker-server=myazregistry.azurecr.io --docker-username=amaluser --docker-password=amalpassword

Here the docker-registry in the command denotes the secret type.

If we are not specifying the namespace, the secret will get created in the default namespace. Here I have used an Azure Container Registry ( ACR ) as my private registry.

Once the secret is created, we can list and check the details by issuing the following command.

kubectl get secrets -n <namespace>

The namespace argument is optional. If we are not specifying the namespace, it will list all the secrets registered in the default namespace.

How to use the credentials while deploying a Pod on Kubernetes ?

apiVersion: v1
kind: Pod
metadata:
  name: my-private-reg
spec:
  containers:
  - name: my-private-reg-container
    image: <my-private-image>
  imagePullSecrets:
  - name: my-registry-secret

The above yaml is a sample file for the deployment of a Pod. In the file, the container registry credential secret is referred using the key imagePullSecrets . This pulls the credentials from the registered secret in the kubernetes cluster and uses it for accessing the private registry.

Thanks for reading my write up. I hope my above explanation is clear. Please feel free to comment if you have any questions.