Kubernetes can't use secret for private docker repository - docker

I have a single private repository on Docker. It contains a simple ASP.Net project. The full URL is https://hub.docker.com/repository/docker/MYUSERNAME/testrepo. I can push an image to it using these commands:
$ docker tag myImage MYUSERNAME/testrepo
$ docker push MYUSERNAME/testrepo
I have created this secret in Kubernetes:
$ kubectl create secret docker-registry mysecret --docker-server="MYUSERNAME/testrepo" --docker-username=MY_USERNAME --docker-password="MY_DOCKER_PASSWORD" --docker-email=MY_EMAIL
Which successfully creates a secret in Kubernetes with my username and password. Next, I apply a simple deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: weather-deployment
labels:
app: weather
spec:
replicas: 3
selector:
matchLabels:
app: weather
template:
metadata:
labels:
app: weather
spec:
containers:
- name: weather
image: MYUSERNAME/testrepo:latest
ports:
- containerPort: 80
imagePullSecrets:
- name: mysecret
The deployment fails with this message:
$ Failed to pull image "MYUSERNAME/testrepo:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for MYUSERNAME/testrepo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
What am I doing wrong?

You should provide correct registry url --docker-server="MYUSERNAME/testrepo".
It is not docker image name. It should be your private registry url, if you use docker hub then the value should be --docker-server="https://index.docker.io/v1/". From this document
<your-registry-server> is your Private Docker Registry FQDN. (https://index.docker.io/v1/ for DockerHub)

Related

Access custom docker registry with NodePort service

I have a local kubernetes cluster up and running using k3s. It works like a charm so far.
On it I'm running a custom Docker registry from which I want to pull images for other deployments.
The registry is exposed to the host by means of a NodePort service. Internally it has port 5000, externally it's on port 31320.
I can push docker images to the registry from the host by tagging them as myhostname:31320/myimage:latest. This works great too.
Now I want to use this image in a basic Job deployment. I'm using the whole tag myhostname:31320/myimage:latest as container image entry like this:
apiVersion: batch/v1
kind: Job
metadata:
name: hello-world
spec:
template:
metadata:
name: hello-world-pod
spec:
containers:
- name: hello-world
image: myhostname:31320/myimage:latest
restartPolicy: Never
Unfortunately, I keep getting a 400 BadRequest error stating: image can't be pulled. If I try using the internal service name of the registry and the internal port instead, like in private-registry:5000/myimage:latest, I'm getting the same error.
I suppose I cannot use private-registry:5000/myimage:latest because that's just not the tag of the image. I cannot push the image to private-registry:5000/myimage:latest because the host private-registry is only known inside the cluster and the port 5000 is not exposed to the host.
So... I'm stuck. What am I going to do about this? How do I get to push images from the host to the registry and allow them to be pulled from inside the cluster?
Kubernetes has a rich documentation on how to implement multiple registries to allow further deployments/pods to access to public or even private registries, to do so you can create an image pull secret k8s ressource (docs), you can either create it by running this command:
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword>
or by deploying this resource in your cluster:
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
namespace: awesomeapps
data:
# Make sure the you convert the whole file to base64!
# cat registry.json | base64 -d
.dockerconfigjson: <registry.json>
type: kubernetes.io/dockerconfigjson
registry.json example
{
"auths": {
"your.private.registry.example.com": {
"username": "janedoe",
"password": "xxxxxxxxxxx",
"email": "jdoe#example.com",
"auth": "c3R...zE2"
}
}
}
And now you can simply attache this imagePullSecret resource you can attache it to your deployment:
apiVersion: batch/v1
kind: Job
metadata:
name: hello-world
spec:
template:
metadata:
name: hello-world-pod
spec:
imagePullSecrets:
- name: regcred
containers:
- name: hello-world
image: myhostname:31320/myimage:latest
restartPolicy: Never
PS
You might also consider adding your registry in docker daemon as insecure registry if you encounter other issues.
you can check this SO question

Failed to pull image pull access denied , repository does not exist or may require 'docker login':

I've created my own image just called v2 but when I do kubectl get pods, it keeps erroring out...with Failed to pull image "v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for v2, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
I'm using minukube by the way
This is my deployment file, also called v2.yaml
apiVersion: v1
kind: Service
metadata:
name: v2
spec:
selector:
name: v2
ports:
- port: 8080
targetPort: 80
---
# ... Deployment YAML definition
apiVersion: apps/v1
kind: Deployment
metadata:
name: v2
spec:
replicas: 1
selector:
matchLabels:
name: v2
template:
metadata:
labels:
name: v2
spec:
containers:
- name: v2
image: v2
ports:
- containerPort: 80
imagePullPolicy: IfNotPresent
---
# ... Ingress YAML definition
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: v2
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /second
pathType: Prefix
backend:
service:
name: v2
port:
number: 8080
any help gratefully received
My suspicion is that you have built your container image against your local Docker daemon, rather than minikube's. Hence, because your imagePullPolicy is set to IfNotPresent, the node will try pulling it from Docker hub (the default container registry).
You can run minikube ssh to open a shell and then run docker image ls to verify the image is not present in the minikube Docker daemon.
The solution here is to first run the following command from your local shell (i.e. not the one in minikube):
$ eval $(minikube -p minikube docker-env)
It will set up your current shell to use minikube's docker daemon. After that, in the same shell, rebuild your image. Now when minikube tries pulling the image, it should find it and bring up the pod successfully.
As the error message indicate v2, repository does not exist it is because of image: v2 . there is no image available in docker hub with name v2. if it is in your repository on docker hub then mention it in the form <reponame>/v2.

How to access private docker hub image?

I’m attempting to pull a private docker image into a digital ocean Kubernetes cluster. I receive this error:
Failed to pull image "testuser/services:latest": rpc error: code =
Unknown desc = failed to pull and unpack image
"docker.io/testuser/services:latest": failed to resolve reference
"docker.io/testuser/services:latest": pull access denied, repository
does not exist or may require authorization: server message:
insufficient_scope: authorization failed
I followed the guide to configure the private registry : https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ , executing the command :
kubectl create secret generic regcred
--from-file=.dockerconfigjson=<path/to/.docker/config.json>
--type=kubernetes.io/dockerconfigjson
I'm following this guide for creating a Kubernetes cluster with Docker container on Kubernetes: https://www.digitalocean.com/community/tutorials/how-to-automate-deployments-to-digitalocean-kubernetes-with-circleci
When I execute kubectl apply -f ~/kube-general/ the pod is successfully created but fails to pull the image and displays above error.
To enable access to a private docker hub image I’ve added imagePullSecrets to app-service.yml :
apiVersion: apps/v1
kind: Deployment
metadata:
name: testuser
namespace: default
labels:
app: testuser
spec:
replicas: 1
selector:
matchLabels:
app: testuser
template:
metadata:
labels:
app: testuser
spec:
containers:
- name: testuser
image: testuser/services:latest
ports:
- containerPort: 5000
name: http
imagePullSecrets:
- name: regcred
app-deployment.yaml:
apiVersion: v1
kind: Service
metadata:
name: services
namespace: default
labels:
app: services
spec:
type: ClusterIP
ports:
- port: 5000
targetPort: http
name: http
selector:
app: services
Update:
pulling the image from my local machine works as expected:
docker pull testuser/services:latest
latest: Pulling from testuser/services
Digest: sha256:35db6c6e9344043a67abe2e0a2f2583c036479728c944dc4136494f0d09a44fe
Status: Image is up to date for testuser/services:latest
docker.io/testuser/services:latest
The process I've followed is same as: https://www.digitalocean.com/community/questions/private-docker-registry
Can you try below:
kubectl create secret docker-registry dockerreg --docker-server=docker.io --docker-username=alloweduserid --docker-password=password --docker-email=user#abc.com

OpenShift Container Platform unable to pull private Docker Hub images

I have an instance of OpenShift Container Platform 3.9 running.
I created a docker hub secrets with credentials to access private images.
I linked the newly created secret to the default service account for pull access.
I created an ImageStream, to access the private image, which seems to have access as it is correctly accessing the image sha.
I created a DeploymentConfig to deploy the image. When deploying, I get the following error message when attempting to pull the image Failed to pull image "myorg/myimage": rpc error: code = Unknown desc = repository docker.io/myorg/myimage not found: does not exist or no pull access
The image stream looks as follows:
apiVersion: v1
kind: ImageStream
metadata:
name: myimage
spec:
dockerImageRepository: docker.io/myorg/myimage
tags:
- name: mytag
generation: 2
from:
kind: DockerImage
name: 'docker.io/myorg/myimage:mytag'
importPolicy:
scheduled: true
The deployment config looks as follows:
apiVersion: v1
kind: DeploymentConfig
metadata:
name: myservice
generation: 1
spec:
replicas: 1
template:
metadata:
labels:
app: example
spec:
containers:
- name: myservice
image: myorg/myimage:mytag
imagePullPolicy: Always
ports:
- containerPort: 8888
What could I be doing wrong?

How to pull image from Docker Store from Kubernetes Pod

After following the link below, I can successfully pull my private images in Docker Hub from my Pods: Pull from Private repo
However, attempting to pull a Docker Store image doesn't seem to work.
I am able to pull this store image locally on my deskop using docker pull store/oracle/database-instantclient:12.2.0.1 and the same credentials that have been stored in Kubernetes as a secret.
What is the correct way to pull a Docker Store image from Kubernetes Pods?
Working pod config for my private repo/image:
image: index.docker.io/<privaterepo>/<privateimage>
I have tried the following in my pod config, none work:
image: store/oracle/database-instantclient:12.2.0.1
image: oracle/database-instantclient:12.2.0.1
image: index.docker.io/oracle/database-instantclient:12.2.0.1
image: index.docker.io/store/oracle/database-instantclient:12.2.0.1
All of the above attempts return the same error (with different image paths):
Failed to pull image "store/oracle/database-instantclient:12.2.0.1": rpc error: code = Unknown desc = Error response from daemon: repository store/oracle/database-instantclient not found: does not exist or no pull access
I managed to run this in minikube by setting up a secret with my docker login:
kubectl create secret docker-registry dockerstore \
--docker-server=index.docker.io/v1/ \
--docker-username={docker store username} \
--docker-password={docker store password} \
--docker-email={your email}
Then kubectl create -f testreplicaset.yaml
on
#testreplicaset.yaml
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: oracle-instantclient
labels:
app: oracle-instantclient
spec:
replicas: 1
selector:
matchLabels:
app: oracle-instantclient
template:
metadata:
labels:
app: oracle-instantclient
spec:
containers:
- name: oracle-instantclient-container
image: store/oracle/database-instantclient:12.2.0.1
env:
ports:
imagePullSecrets:
- name: dockerstore
I can't tell exactly why it doesn't work for you, but it might give more clues if you ssh into your kubernetes node and try docker pull in there.

Resources