How to use imagePullSecret in K8S cluster-wide?

This article was last updated on: July 24, 2024 am

In this post, I’ll show you how to use imagePullSecrets in Kubernetes.

Introduction to imagePullSecrets

Kubernetes uses imagePullSecrets to authenticate private container registries on a per-pod or per-namespace basis. To do this, you need to create a secret with credentials:

⚠️ warn

Now, as public image repositories (such as docker.io, etc.) begin to restrict traffic to anonymous users, it is necessary to configure identity authentication for public repositories.

1
2
3
4
5
6
kubectl create secret docker-registry image-pull-secret \
-n <your-namespace> \
--docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-password> \
--docker-email=<your-email>

For example, configure the pull secret for docker.io:

1
2
3
4
5
6
kubectl create secret docker-registry image-pull-secret-src \
-n imagepullsecret-patcher \
--docker-server=docker.io \
--docker-username=caseycui \
--docker-password=c874d654-xxxx-40c6-xxxx-xxxxxxxx89c2 \
[email protected]

ℹ️ Information

If docker.io has “2-stage authentication” enabled, you may need to create an Access Token (corresponding to the above docker-password, create the link here:Account -> Security

Now we can use this secret in a pod to download the docker image:

1
2
3
4
5
6
7
8
9
10
11
apiVersion: v1
kind: Pod
metadata:
name: busybox
namespace: private-registry-test
spec:
containers:
- name: my-app
image: my-private-registry.infra/busybox:v1
imagePullSecrets:
- name: image-pull-secret

Another option is to add it to the namespace’s default ServiceAccount:

1
2
3
kubectl patch serviceaccount default \
-p "{\"imagePullSecrets\": [{\"name\": \"image-pull-secret\"}]}" \
-n <your-namespace>

Use imagePullSecrets at the K8S cluster scope

I found one called imagepullsecret-patch tool, which can do this on all your namespaces:

1
2
3
4
wget https://raw.githubusercontent.com/titansoft-pte-ltd/imagepullsecret-patcher/185aec934bd01fa9b6ade2c44624e5f2023e2784/deploy-example/kubernetes-manifest/1_rbac.yaml
wget https://raw.githubusercontent.com/titansoft-pte-ltd/imagepullsecret-patcher/master/deploy-example/kubernetes-manifest/2_deployment.yaml

kubectl create ns imagepullsecret-patcher

Editing downloaded files generally requires modificationsimage-pull-secret-src, this pull secret will be applied to the K8S cluster scope.

1
2
3
4
nano 1_rbac.yaml
nano 2_deployment.yaml
kubectl apply -f 1_rbac.yaml
kubectl apply -f 2_deployment.yaml

The resources created behind here are:

  1. NameSpace
  2. RBAC permissions related:
    1. imagepullsecret-patcher ServiceAccount
    2. imagepullsecret-patcher ClusterRole, which has all permissions to the service account and secret
    3. imagepullsecret-patcher ClusterRoleBinding, for imagepullsecret-patcher ServiceAccount gives imagepullsecret-patcher Permissions for ClusterRole.
  3. Global pull secret image-pull-secret-src, inside is all the image library addresses and authentication information that your K8S contains globally.
  4. Deployment imagepullsecret-patcher, specifying that ServiceAccount is imagepullsecret-patcher You have all the permissions to manipulate the service account and secret, and mount the above secret into the Deployment pod.

You can include multiple image vault addresses and authentication information, such as:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"auths": {
"docker.io": {
"username": "caseycui",
"password": "c874xxxxxxxxxxxxxxxx1f89c2",
"email": "[email protected]",
"auth": "Y2FzxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxWMy"
},
"quay.io": {
"auth": "ZWFzdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxlXWmpNPQ==",
"email": ""
}
}
}

Base64 is encoded and written to secret .dockerconfigjson field is sufficient:

1
2
3
4
5
6
7
8
9
apiVersion: v1
kind: Secret
metadata:
name: image-pull-secret-src
namespace: imagepullsecret-patcher
data:
.dockerconfigjson: >-
eyJhdXRocyI6eyJkb2NrZXIuaW8iOnsidXNlcm5hbWUiOiJjYXNleWN1aSIsInB.............................................IiwiZW1haWwiOiIifX19
type: kubernetes.io/dockerconfigjson

Launched pods are created under all NameSpaces image-pull-secret secret (Content fromimage-pull-secret-src) and patch it to default In the service account and all serviceaccounts of the K8S cluster, the logs are as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
time="2022-01-12T16:07:30Z" level=info msg="Application started"
time="2022-01-12T16:07:30Z" level=info msg="[default] Created secret"
time="2022-01-12T16:07:30Z" level=info msg="[default] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:30Z" level=info msg="[kube-system] Created secret"
time="2022-01-12T16:07:31Z" level=info msg="[kube-system] Patched imagePullSecrets to service account [node-controller]"
...
time="2022-01-12T16:07:37Z" level=info msg="[kube-public] Created secret"
time="2022-01-12T16:07:37Z" level=info msg="[kube-public] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:38Z" level=info msg="[kube-node-lease] Created secret"
time="2022-01-12T16:07:38Z" level=info msg="[kube-node-lease] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:38Z" level=info msg="[prometheus] Created secret"
time="2022-01-12T16:07:39Z" level=info msg="[prometheus] Patched imagePullSecrets to service account [default]"
...
time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Created secret"
time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Patched imagePullSecrets to service account [imagepullsecret-patcher]"

In the future we just need to update image-pull-secret-src This one will do. 👍️👍️👍️

Kyverno policy

Kyverno policy can achieve the same effect:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-secret
spec:
background: false
rules:
- name: sync-image-pull-secret
match:
resources:
kinds:
- Namespace
generate:
kind: Secret
name: image-pull-secret
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: image-pull-secret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-imagepullsecret
spec:
rules:
- name: mutate-imagepullsecret
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
imagePullSecrets:
- name: image-pull-secret ## imagePullSecret that you created with docker hub pro account
(containers):
- (image): "*" ## match all container images

How to use imagePullSecret in K8S cluster-wide?
https://e-whisper.com/posts/39547/
Author
east4ming
Posted on
January 13, 2022
Licensed under