I've deployed my first app on my Kubernetes prod cluster a month ago.
I could deploy my 2 services (front / back) from gitlab registry.
Now, I pushed a new docker image to gitlab registry and would like to redeploy it in prod:
Here is my deployment file:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: espace-client-client
name: espace-client-client
namespace: espace-client
spec:
replicas: 1
strategy: {}
template:
metadata:
labels:
app: espace-client-client
spec:
containers:
- envFrom:
- secretRef:
name: espace-client-client-env
image: registry.gitlab.com/xxx/espace_client/client:latest
name: espace-client-client
ports:
- containerPort: 3000
resources: {}
restartPolicy: Always
imagePullSecrets:
- name: gitlab-registry
I have no clue what is inside gitlab-registry. I didn't do it myself, and the people who did it left the crew :( Nevertheless, I have all the permissions, so, I only need to know what to put in the secret, and maybe delete it and recreate it.
It seems that secret is based on my .docker/config.json
➜ espace-client git:(k8s) ✗ kubectl describe secrets gitlab-registry
Name: gitlab-registry
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 174 bytes
I tried to delete existing secret, logout with
docker logout registry.gitlab.com
kubectl delete secret gitlab-registry
Then login again:
docker login registry.gitlab.com -u myGitlabUser
Password:
Login Succeeded
and pull image with:
docker pull registry.gitlab.com/xxx/espace_client/client:latest
which worked.
file: ~/.docker/config.json is looking weird:
{
"auths": {
"registry.gitlab.com": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (linux)"
},
"credsStore": "secretservice"
}
It doesn't seem to contain any credential...
Then I recreate my secret
kubectl create secret generic gitlab-registry \
--from-file=.dockerconfigjson=/home/julien/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
I also tried to do :
kubectl create secret docker-registry gitlab-registry --docker-server=registry.gitlab.com --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
and deploy again:
kubectl rollout restart deployment/espace-client-client -n espace-client
but I still have the same error:
Error from server (BadRequest): container "espace-client-client" in pod "espace-client-client-6c8b88f795-wcrlh" is waiting to start: trying and failing to pull image
You have to update the gitlab-registry secret because this item is used to let Kubelet to pull the protected image using credentials.
Please, delete the old secret with kubectl -n yournamespace delete secret gitlab-registry and recreate it typing credentials:
kubectl -n yournamespace create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD[ --docker-email=DOCKER_EMAIL]
where:
- DOCKER_REGISTRY_SERVER is the GitLab Docker registry instance
- DOCKER_USER is the username of the robot account to pull images
- DOCKER_PASSWORD is the password attached to the robot account
You could ignore docker-email since it's not mandatory (note the square brackets).
Related
I've been trying to create a deployment of docker image to Kubernetes cluster without luck, my deployment.yaml looks like:
apiVersion: v1
kind: Pod
metadata:
name: application-deployment
labels:
app: application
spec:
serviceAccountName: gitlab
automountServiceAccountToken: false
containers:
- name: application
image: example.org:port1/foo/bar:latest
ports:
- containerPort: port2
volumes:
- name: foo
secret:
secretName: regcred
But it fails to get the image.
Failed to pull image "example.org:port1/foo/bar:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://example.org:port1/v2/foo/bar/manifests/latest: denied: access forbidden
The secret used in deployment.yaml, was created like this:
kubectl create secret docker-registry regcred --docker-server=${CI_REGISTRY} --docker-username=${CI_REGISTRY_USER} --docker-password=${CI_REGISTRY_PASSWORD} --docker-email=${GITLAB_USER_EMAIL}
Attempt #1: adding imagePullSecrets
...
imagePullSecrets:
- name: regcred
results in:
Failed to pull image "example.org:port1/foo/bar:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://example.org:port1/v2/foo/bar/manifests/latest: unauthorized: HTTP Basic: Access denied
Solution:
I've created deploy token under Settings > Repository > Deploy Tokens > (created one with read_registry scope)
And added given values to environment variables and an appropriate line now looks like:
kubectl create secret docker-registry regcred --docker-server=${CI_REGISTRY} --docker-username=${CI_DEPLOY_USER} --docker-password=${CI_DEPLOY_PASSWORD}
I've got the problematic line from tutorials & Gitlab docs, where they've described deploy tokens but further used problematic line in examples.
I reproduced your issue and the problem is with password you used while creating a repository's secret. When creating a secret for gitlab repository you have to use personal token created in gitlab instead of a password.
You can create a token by going to Settings -> Access Tokens. Then you have to pick a name for your token, expiration date and token's scope.
Then create a secret as previously by running
kubectl create secret docker-registry regcred --docker-server=$docker_server --docker-username=$docker_username --docker-password=$personal_token
While creating a pod you have to include
imagePullSecrets:
- name: regcred
You need add the imagePullSecret on your deployment, so your pod will be:
apiVersion: v1
kind: Pod
metadata:
name: application-deployment
labels:
app: application
spec:
serviceAccountName: gitlab
automountServiceAccountToken: false
containers:
- name: application
image: example.org:port1/foo/bar:latest
ports:
- containerPort: port2
imagePullSecrets:
- name: regcred
Be sure that the secret and pod is running on same namespace.
Also make sure that the container you are pulling exist and with the right tag.
I notice you are trying to run the command on pipeline on gitlab-ci, check after run the create secret command that your secret is right (with the variables replacement).
You can verify if you can login to registry and pull the image manually on some other linux to by sure that the credentials are right.
creating a secret didn't work for me at first, though I had to specify the namespace for the secret and it worked.
kubectl delete secret -n ${NAMESPACE} regcred --ignore-not-found
kubectl create secret -n ${NAMESPACE} docker-registry regcred --docker-server=${CI_REGISTRY} --docker-username=${CI_DEPLOY_USERNAME} --docker-password=${CI_DEPLOY_PASSWORD} --docker-email=${GITLAB_USER_EMAIL}
I've tried https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
and the base 64 encoded solution in a yaml file (which is ultimately what I need to do) doesn't authenticate. (apparently this is a common problem and if anyone's got a yaml file that has it working I'd love to see it or a method that allows secure deployment from a private repo, just so we don't get stuck in the x-y problem)
So I tried the following:
kubectl create secret generic registrykey --from-file=.dockerconfigjson=/home/dbosh/.docker/config.json --type=kubernetes.io/dockerconfigjson
with the deployment file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my_deployment
spec:
selector:
matchLabels:
app: my_deployment
tier: backend
track: stable
replicas: 7
template:
metadata:
labels:
app: my_deployment
tier: backend
track: stable
spec:
containers:
- name: my_deployment
image: "my_private_repo:image_name"
ports:
- name: http
containerPort: 8082
imagePullSecrets:
- name: registrykey
However whenever I try to deploy, I keep getting that the "pull access denied for my_private_repo, repository does not exist or may require 'docker login".
Now to create the docker login file, I have indeed logged in and tested again with logging in immediately before regenerating the secret and then redeploying and it still doesn't authenticate.
Any help appreciated please.
UPDATE (thanks to a useful comment):
It would appear that my config.json after logging in looks likethis:
cat .docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.2 (linux)"
},
"credsStore": "secretservice"
This would appear to not contain a token. I generated this from running docker login and providing my credentials. Any ideas anyone?
There's no token for your private repo in the config.json file, but only for docker hub.
So you need to re-authenticate within your private repository:
docker logout <my_private_repo> && docker login <my_private_repo> -u <user> -p <pass> && cat ~/.docker/config.json
Should be a bit of this:
"auths": {
"my_private_repo": {
"auth": "c3VraG92ZXJzsdfdsQXNocmV2b2h1czg4"
}
After following the link below, I can successfully pull my private images in Docker Hub from my Pods: Pull from Private repo
However, attempting to pull a Docker Store image doesn't seem to work.
I am able to pull this store image locally on my deskop using docker pull store/oracle/database-instantclient:12.2.0.1 and the same credentials that have been stored in Kubernetes as a secret.
What is the correct way to pull a Docker Store image from Kubernetes Pods?
Working pod config for my private repo/image:
image: index.docker.io/<privaterepo>/<privateimage>
I have tried the following in my pod config, none work:
image: store/oracle/database-instantclient:12.2.0.1
image: oracle/database-instantclient:12.2.0.1
image: index.docker.io/oracle/database-instantclient:12.2.0.1
image: index.docker.io/store/oracle/database-instantclient:12.2.0.1
All of the above attempts return the same error (with different image paths):
Failed to pull image "store/oracle/database-instantclient:12.2.0.1": rpc error: code = Unknown desc = Error response from daemon: repository store/oracle/database-instantclient not found: does not exist or no pull access
I managed to run this in minikube by setting up a secret with my docker login:
kubectl create secret docker-registry dockerstore \
--docker-server=index.docker.io/v1/ \
--docker-username={docker store username} \
--docker-password={docker store password} \
--docker-email={your email}
Then kubectl create -f testreplicaset.yaml
on
#testreplicaset.yaml
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: oracle-instantclient
labels:
app: oracle-instantclient
spec:
replicas: 1
selector:
matchLabels:
app: oracle-instantclient
template:
metadata:
labels:
app: oracle-instantclient
spec:
containers:
- name: oracle-instantclient-container
image: store/oracle/database-instantclient:12.2.0.1
env:
ports:
imagePullSecrets:
- name: dockerstore
I can't tell exactly why it doesn't work for you, but it might give more clues if you ssh into your kubernetes node and try docker pull in there.
I am planning to deploy an application in my kubernetes-clustering infra.
I pushed image to dockerhub repo. How can I pull image from dockerhub?
One line command to create a Docker registry secret
kubectl create secret docker-registry regcred --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email> -n <your-namespace>
Then you can use it in your deployment file under spec
spec:
containers:
- name: private-reg-container-name
image: <your-private-image>
imagePullSecrets:
- name: regcred
More details:
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-in-the-cluster-that-holds-your-authorization-token
Kubernetes run docker pull pseudo/your-image:latest under the hood. image field in Kubernetes resources is simply the docker image to run.
spec:
containers:
- name: app
image: pseudo/your-image:latest
[...]
As the docker image name contains no specific docker registry url, the default is docker.io. Your image is in fact docker.io/pseudo/your-image:latest
If your image is hosted in a private docker hub repo, you need to specify an image pull secret in the spec field.
spec:
containers:
- name: app
image: pseudo/your-image:latest
imagePullSecrets:
- name: dockerhub-credential
Here is the documentation to create the secret containing your docker hub login: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
using docker pull or kubectl set image
example yaml deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
start container and show status deployment with kubectl get deployments
result
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deployment 3/3 3 3 18s
and now update image in kubernetes using set image
kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1
and show status update image with rollout
kubectl rollout status deployment/nginx-deployment
Note: ngnix is name of container ->name
containers:
- name: nginx
image: nginx:1.14.2
nginx:1.16.1 is image version in docker hub, is recommendable change version for update
if you decided remove update and rollback to the previous revision, use rollout undo
kubectl rollout undo deployment/nginx-deployment
for more information, use the documentation
Create a docker registry secret:
#!/bin/bash
for ns in $(kubectl get namespaces |grep -v NAME|awk '{print $1}')
do
kubectl create secret docker-registry docker.registry \
--docker-username=<MyAccountName> \
--docker-password='MyDockerHubPassword' -n $ns
done
Patch all the dynamic service accounts in all the namesapces with the secret you created in step 1
for ns in $(kubectl get namespaces|grep -v NAME|awk '{print $1}')
do
for sa in $(kubectl -n $ns get sa|grep -v SECRETS|awk '{print $1}')
do
kubectl patch serviceaccount $sa -p '{"imagePullSecrets": [{"name": "docker.registry"}]}' -n $ns
if [ $? -eq 0 ]; then
echo $ns $sa patched
else
echo Error patching $ns $sa
fi
done
done
You can patch only specific namespaces, if you wish.
Let me know how it goes.
I am failing to pull from my private Docker Hub repository into my local Kubernetes setup running on Vagrant:
Container "hellonode" in pod "hellonode-n1hox" is waiting to start: image can't be
pulled
Failed to pull image "username/hellonode": Error: image username/hellonode:latest not found
I have set up Kubernetes locally via Vagrant as described here and created a secret named "dockerhub" with kubectl create secret docker-registry dockerhub --docker-server=https://registry.hub.docker.com/ --docker-username=username --docker-password=... --docker-email=... which I supplied as the image pull secret.
I am running Kubernetes 1.2.0.
To pull a private DockerHub hosted image from a Kubernetes YAML:
Run these commands:
DOCKER_REGISTRY_SERVER=docker.io
DOCKER_USER=Type your dockerhub username, same as when you `docker login`
DOCKER_EMAIL=Type your dockerhub email, same as when you `docker login`
DOCKER_PASSWORD=Type your dockerhub pw, same as when you `docker login`
kubectl create secret docker-registry myregistrykey \
--docker-server=$DOCKER_REGISTRY_SERVER \
--docker-username=$DOCKER_USER \
--docker-password=$DOCKER_PASSWORD \
--docker-email=$DOCKER_EMAIL
If your username on DockerHub is DOCKER_USER, and your private repo is called PRIVATE_REPO_NAME, and the image you want to pull is tagged as latest, create this example.yaml file:
apiVersion: v1
kind: Pod
metadata:
name: whatever
spec:
containers:
- name: whatever
image: DOCKER_USER/PRIVATE_REPO_NAME:latest
imagePullPolicy: Always
command: [ "echo", "SUCCESS" ]
imagePullSecrets:
- name: myregistrykey
Then run:
kubectl create -f example.yaml
Create k8 Secret:
apiVersion: v1
kind: Secret
metadata:
name: repositorySecretKey
data:
.dockerconfigjson: <base64 encoded docker auth config>
type: kubernetes.io/dockerconfigjson
Then in pod or rc config mention the secret. Example :
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test-pod
image: quay.io/example/hello:1.1
imagePullSecrets:
- name: repositorySecretKey
Docker auth config
{
"https://quay.io": {
"email": ".",
"auth": "<base64 encoded auth token>"
}
}
Or
kubectl create secret docker-registry myregistrykey \
--docker-server=DOCKER_REGISTRY_SERVER \
--docker-username=DOCKER_USER \
--docker-password=DOCKER_PASSWORD \
--docker-email=DOCKER_EMAIL
I solved using the following Kubectl command :
kubectl create secret docker-registry your-key-name\
--docker-server=docker.io \
--docker-username=DOCKER_USER \
--docker-password=DOCKER_PASSWORD \
--docker-email=DOCKER_EMAIL
You can follow these instructions on how to configure nodes to authenticate to a private repository in order to configure the kubelets to make Docker use your credentials, or follow +Phagun Baya's solution with imagePullSecrets that applies to pods.
Just in case anyone else is stuck using kubectl from Windows -
set secretname="secret1"
set username="dockerhubUsername"
set pw="dockerhubPassword"
set email="dockerhubEmail#domain.com"
kubectl create secret docker-registry %secretname% --docker-username=%username% --docker-password=%pw% --docker-email=%email%