This article was last updated on: July 24, 2024 am
In this post, I’ll show you how to use imagePullSecrets in Kubernetes.
Introduction to imagePullSecrets
Kubernetes uses imagePullSecrets to authenticate private container registries on a per-pod or per-namespace basis. To do this, you need to create a secret with credentials:
⚠️ warn:
Now, as public image repositories (such as docker.io, etc.) begin to restrict traffic to anonymous users, it is necessary to configure identity authentication for public repositories.
If docker.io has “2-stage authentication” enabled, you may need to create an Access Token (corresponding to the above docker-password, create the link here:Account -> Security
Now we can use this secret in a pod to download the docker image:
imagepullsecret-patcher ClusterRole, which has all permissions to the service account and secret
imagepullsecret-patcher ClusterRoleBinding, for imagepullsecret-patcher ServiceAccount gives imagepullsecret-patcher Permissions for ClusterRole.
Global pull secret image-pull-secret-src, inside is all the image library addresses and authentication information that your K8S contains globally.
Deployment imagepullsecret-patcher, specifying that ServiceAccount is imagepullsecret-patcher You have all the permissions to manipulate the service account and secret, and mount the above secret into the Deployment pod.
You can include multiple image vault addresses and authentication information, such as:
Launched pods are created under all NameSpaces image-pull-secret secret (Content fromimage-pull-secret-src) and patch it to default In the service account and all serviceaccounts of the K8S cluster, the logs are as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
time="2022-01-12T16:07:30Z" level=info msg="Application started" time="2022-01-12T16:07:30Z" level=info msg="[default] Created secret" time="2022-01-12T16:07:30Z" level=info msg="[default] Patched imagePullSecrets to service account [default]" time="2022-01-12T16:07:30Z" level=info msg="[kube-system] Created secret" time="2022-01-12T16:07:31Z" level=info msg="[kube-system] Patched imagePullSecrets to service account [node-controller]" ... time="2022-01-12T16:07:37Z" level=info msg="[kube-public] Created secret" time="2022-01-12T16:07:37Z" level=info msg="[kube-public] Patched imagePullSecrets to service account [default]" time="2022-01-12T16:07:38Z" level=info msg="[kube-node-lease] Created secret" time="2022-01-12T16:07:38Z" level=info msg="[kube-node-lease] Patched imagePullSecrets to service account [default]" time="2022-01-12T16:07:38Z" level=info msg="[prometheus] Created secret" time="2022-01-12T16:07:39Z" level=info msg="[prometheus] Patched imagePullSecrets to service account [default]" ... time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Created secret" time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Patched imagePullSecrets to service account [default]" time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Patched imagePullSecrets to service account [imagepullsecret-patcher]"
In the future we just need to update image-pull-secret-src This one will do. 👍️👍️👍️
apiVersion:kyverno.io/v1 kind:ClusterPolicy metadata: name:mutate-imagepullsecret spec: rules: -name:mutate-imagepullsecret match: resources: kinds: -Pod mutate: patchStrategicMerge: spec: imagePullSecrets: -name:image-pull-secret## imagePullSecret that you created with docker hub pro account (containers): -(image):"*"## match all container images