After following the link below, I can successfully pull my private images in Docker Hub from my Pods: Pull from Private repo
However, attempting to pull a Docker Store image doesn't seem to work.
I am able to pull this store image locally on my deskop using docker pull store/oracle/database-instantclient:12.2.0.1 and the same credentials that have been stored in Kubernetes as a secret.
What is the correct way to pull a Docker Store image from Kubernetes Pods?
Working pod config for my private repo/image:
image: index.docker.io/<privaterepo>/<privateimage>
I have tried the following in my pod config, none work:
image: store/oracle/database-instantclient:12.2.0.1
image: oracle/database-instantclient:12.2.0.1
image: index.docker.io/oracle/database-instantclient:12.2.0.1
image: index.docker.io/store/oracle/database-instantclient:12.2.0.1
All of the above attempts return the same error (with different image paths):
Failed to pull image "store/oracle/database-instantclient:12.2.0.1": rpc error: code = Unknown desc = Error response from daemon: repository store/oracle/database-instantclient not found: does not exist or no pull access
I managed to run this in minikube by setting up a secret with my docker login:
kubectl create secret docker-registry dockerstore \
--docker-server=index.docker.io/v1/ \
--docker-username={docker store username} \
--docker-password={docker store password} \
--docker-email={your email}
Then kubectl create -f testreplicaset.yaml
on
#testreplicaset.yaml
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: oracle-instantclient
labels:
app: oracle-instantclient
spec:
replicas: 1
selector:
matchLabels:
app: oracle-instantclient
template:
metadata:
labels:
app: oracle-instantclient
spec:
containers:
- name: oracle-instantclient-container
image: store/oracle/database-instantclient:12.2.0.1
env:
ports:
imagePullSecrets:
- name: dockerstore
I can't tell exactly why it doesn't work for you, but it might give more clues if you ssh into your kubernetes node and try docker pull in there.
Related
I've created my own image just called v2 but when I do kubectl get pods, it keeps erroring out...with Failed to pull image "v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for v2, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
I'm using minukube by the way
This is my deployment file, also called v2.yaml
apiVersion: v1
kind: Service
metadata:
name: v2
spec:
selector:
name: v2
ports:
- port: 8080
targetPort: 80
---
# ... Deployment YAML definition
apiVersion: apps/v1
kind: Deployment
metadata:
name: v2
spec:
replicas: 1
selector:
matchLabels:
name: v2
template:
metadata:
labels:
name: v2
spec:
containers:
- name: v2
image: v2
ports:
- containerPort: 80
imagePullPolicy: IfNotPresent
---
# ... Ingress YAML definition
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: v2
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /second
pathType: Prefix
backend:
service:
name: v2
port:
number: 8080
any help gratefully received
My suspicion is that you have built your container image against your local Docker daemon, rather than minikube's. Hence, because your imagePullPolicy is set to IfNotPresent, the node will try pulling it from Docker hub (the default container registry).
You can run minikube ssh to open a shell and then run docker image ls to verify the image is not present in the minikube Docker daemon.
The solution here is to first run the following command from your local shell (i.e. not the one in minikube):
$ eval $(minikube -p minikube docker-env)
It will set up your current shell to use minikube's docker daemon. After that, in the same shell, rebuild your image. Now when minikube tries pulling the image, it should find it and bring up the pod successfully.
As the error message indicate v2, repository does not exist it is because of image: v2 . there is no image available in docker hub with name v2. if it is in your repository on docker hub then mention it in the form <reponame>/v2.
I’m attempting to pull a private docker image into a digital ocean Kubernetes cluster. I receive this error:
Failed to pull image "testuser/services:latest": rpc error: code =
Unknown desc = failed to pull and unpack image
"docker.io/testuser/services:latest": failed to resolve reference
"docker.io/testuser/services:latest": pull access denied, repository
does not exist or may require authorization: server message:
insufficient_scope: authorization failed
I followed the guide to configure the private registry : https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ , executing the command :
kubectl create secret generic regcred
--from-file=.dockerconfigjson=<path/to/.docker/config.json>
--type=kubernetes.io/dockerconfigjson
I'm following this guide for creating a Kubernetes cluster with Docker container on Kubernetes: https://www.digitalocean.com/community/tutorials/how-to-automate-deployments-to-digitalocean-kubernetes-with-circleci
When I execute kubectl apply -f ~/kube-general/ the pod is successfully created but fails to pull the image and displays above error.
To enable access to a private docker hub image I’ve added imagePullSecrets to app-service.yml :
apiVersion: apps/v1
kind: Deployment
metadata:
name: testuser
namespace: default
labels:
app: testuser
spec:
replicas: 1
selector:
matchLabels:
app: testuser
template:
metadata:
labels:
app: testuser
spec:
containers:
- name: testuser
image: testuser/services:latest
ports:
- containerPort: 5000
name: http
imagePullSecrets:
- name: regcred
app-deployment.yaml:
apiVersion: v1
kind: Service
metadata:
name: services
namespace: default
labels:
app: services
spec:
type: ClusterIP
ports:
- port: 5000
targetPort: http
name: http
selector:
app: services
Update:
pulling the image from my local machine works as expected:
docker pull testuser/services:latest
latest: Pulling from testuser/services
Digest: sha256:35db6c6e9344043a67abe2e0a2f2583c036479728c944dc4136494f0d09a44fe
Status: Image is up to date for testuser/services:latest
docker.io/testuser/services:latest
The process I've followed is same as: https://www.digitalocean.com/community/questions/private-docker-registry
Can you try below:
kubectl create secret docker-registry dockerreg --docker-server=docker.io --docker-username=alloweduserid --docker-password=password --docker-email=user#abc.com
A colleague created a K8s cluster for me. I can run services in that cluster without any problem. However, I cannot run services that depend on an image from Amazon ECR, which I really do not understand. Probably, I made a small mistake in my deployment file and thus caused this problem.
Here is my deployment file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-deployment
labels:
app: hello
spec:
replicas: 3
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: xxxxxxxxx.yyy.ecr.eu-zzzzz.amazonaws.com/test:latest
ports:
- containerPort: 5000
Here is my service file:
apiVersion: v1
kind: Service
metadata:
name: hello-svc
labels:
app: hello
spec:
type: NodePort
ports:
- port: 5000
nodePort: 30002
protocol: TCP
selector:
app: hello
On the master node, I have run this to ensure kubernetes knows about the deployment and the service.
kubectl create -f dep.yml
kubectl create -f service.yml
I used the K8s extension in vscode to check the logs of my pods.
This is the error I get:
Error from server (BadRequest): container "hello" in pod
"hello-deployment-xxxx-49pbs" is waiting to start: trying and failing
to pull image.
Apparently, pulling is an issue..... This is not happening when using a public image from the public docker hub. Logically, this would be a rights issue. But looks like it is not. I get no error message when running this command on the master node:
docker pull xxxxxxxxx.yyy.ecr.eu-zzzzz.amazonaws.com/test:latest
This command just pulls my image.
I am confused now. I can pull my image with docker pull on the master node . But K8s fails doing the pull. Am I missing something in my deployment file? Some property that says: "repositoryIsPrivateButDoNotComplain"? I just do not get it.
How to fix this so K8s can easily use my image from Amazon ECR?
You should create and use secretes for the ECR authorization.
This is what you need to do.
Create a secrete for the Kubernetes cluster, execute the below-given shell script from a machine from where you can access the AWS account in which ECR registry is hosted. Please change the placeholders as per your setup. Please ensure that the machine on which you execute this shell script should have aws cli installed and aws credential configured. If you are using a windows machine then execute this script in Cygwin or git bash console.
#!/bin/bash
ACCOUNT=<AWS_ACCOUNT_ID>
REGION=<REGION>
SECRET_NAME=<SECRETE_NAME>
EMAIL=<SOME_DUMMY_EMAIL>
TOKEN=`/usr/local/bin/aws ecr --region=$REGION --profile <AWS_PROFILE> get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`
kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
--docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password="${TOKEN}" \
--docker-email="${EMAIL}"
Change the deployment and add a section for secrete which you're pods will be using while downloading the image from ECR.
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-deployment
labels:
app: hello
spec:
replicas: 3
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: xxxxxxxxx.yyy.ecr.eu-zzzzz.amazonaws.com/test:latest
ports:
- containerPort: 5000
imagePullSecrets:
- name: SECRET_NAME
Create the pods and service.
IF it succeeds, then still the secret will expire in 12 hours, to overcome that setup a crone ( for recreating the secretes on the Kubernetes cluster periodically. For setting up crone use the same script which is given above.
For the complete picture of how it is happening under the hood please refer to below diagram.
Regards
Amit Meena
For 12 Hour problem, If you are using Kubernetes 1.20, Please configure and use Kubelet image credential provider
https://kubernetes.io/docs/tasks/kubelet-credential-provider/kubelet-credential-provider/
You need to enable alpha feature gate KubeletCredentialProviders in your kubelet
If using Lower Kubernetes Version and this feature is not available then use https://medium.com/#damitj07/how-to-configure-and-use-aws-ecr-with-kubernetes-rancher2-0-6144c626d42c
I have a single private repository on Docker. It contains a simple ASP.Net project. The full URL is https://hub.docker.com/repository/docker/MYUSERNAME/testrepo. I can push an image to it using these commands:
$ docker tag myImage MYUSERNAME/testrepo
$ docker push MYUSERNAME/testrepo
I have created this secret in Kubernetes:
$ kubectl create secret docker-registry mysecret --docker-server="MYUSERNAME/testrepo" --docker-username=MY_USERNAME --docker-password="MY_DOCKER_PASSWORD" --docker-email=MY_EMAIL
Which successfully creates a secret in Kubernetes with my username and password. Next, I apply a simple deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: weather-deployment
labels:
app: weather
spec:
replicas: 3
selector:
matchLabels:
app: weather
template:
metadata:
labels:
app: weather
spec:
containers:
- name: weather
image: MYUSERNAME/testrepo:latest
ports:
- containerPort: 80
imagePullSecrets:
- name: mysecret
The deployment fails with this message:
$ Failed to pull image "MYUSERNAME/testrepo:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for MYUSERNAME/testrepo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
What am I doing wrong?
You should provide correct registry url --docker-server="MYUSERNAME/testrepo".
It is not docker image name. It should be your private registry url, if you use docker hub then the value should be --docker-server="https://index.docker.io/v1/". From this document
<your-registry-server> is your Private Docker Registry FQDN. (https://index.docker.io/v1/ for DockerHub)
I have an ubuntu installed on my laptop.
I started a private docker registry (ssl enabled + htpasswd secured) and added it on overlay network (so it can be accessed from other hosts/vms)
here is the code (docker-compose.yaml):
version: "3"
services:
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- /certs:/certs
- ~/caas_rd/workspace/ci_cd_pipeline/registry_setup:/auth
networks:
- overlaynetwork
networks:
overlaynetwork:
so my registry is running in the following link (with dns, i can verify it in browser) : https://home-thinkpad-t420s:5000/v2/_catalog
Now I installed "Minikube" on my laptop. && ssh it by "minikube ssh".
I created a folder "/etc/docker/certs.d" on minikube vm & added certificates as per instructions :
https://docs.docker.com/engine/security/certificates/#understanding-the-configuration
I also modified /etc/hosts && appended ca.cert on /etc/ssl/certs/ca-certificates.crt.
and restarted docker service on minikube vm by : sudo systemctl restart docker.service
after this I am able to pull the images on minikube vm by "docker login & docker pull" & also by "curl with (cacert + username/password)"
above is working perfectly fine, means I can successfully access/pull private registry images inside minikube vm.
Then I tried to create a secret (on my laptop with kubectl create -f ) defined as below:
apiVersion: "v1"
kind: "Secret"
metadata:
name: "ssl-proxy-secret"
namespace: "default"
data:
proxycert: "LS0..."
proxykey: "LS0t..."
htpasswd: "YWRt..."
and created a pod (on my laptop with kubectl create -f ) defined as below:
apiVersion: v1
kind: Pod
metadata:
name: private-jenkins
spec:
containers:
- name: private-jenkins-container
image: home-thinkpad-t420s:5000/my-jenkins
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: ssl-proxy-secret
but when I try to run this pod, it throws error :
Failed to pull image "home-thinkpad-t420s:5000/my-jenkins": rpc error: code = 2 desc = Error: image my-jenkins not found
Error syncing pod, skipping: failed to "StartContainer" for "private-jenkins-container" with ErrImagePull: "rpc error: code = 2 desc = Error: image my-jenkins not found"
If I am able to pull images inside the minikube vm successfully by curl & docker login/pull......then when why pod creation is failing with above error ?
You need to create a separated kubernetes registry secret instead. Could use this command:
kubectl create secret docker-registry <secret-name> \
--docker-email=<your-email> --docker-username=<registry-user> \
--docker-password=<registry-password> --docker-server=<registry-server-domain>
After that you could update the pod configuration as follow:
apiVersion: v1
kind: Pod
metadata:
name: private-jenkins
spec:
containers:
- name: private-jenkins-container
image: home-thinkpad-t420s:5000/my-jenkins
imagePullSecrets:
- name: <secret-name>
Reference: link
Hope it helps!
Can you remove those double quotes escpecially from the credentials in the secret.yml file and try spinning the pod again ?