This page shows how to create a Pod that uses a Secret to pull an image from a private Docker registry or repository.
regcredYou need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:
To check the version, enter kubectl version.
On your laptop, you must authenticate with a registry in order to pull a private image:
docker loginWhen prompted, enter your Docker username and password.
The login process creates or updates a config.json file that holds an authorization token.
View the config.json file:
cat ~/.docker/config.jsonThe output contains a section similar to this:
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"
        }
    }
}Note: If you use a Docker credentials store, you won’t see thatauthentry but acredsStoreentry with the name of the store as value.
A Kubernetes cluster uses the Secret of docker-registry type to authenticate with a container registry to pull a private image.
Create this Secret, naming it regcred:
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>where:
<your-registry-server> is your Private Docker Registry FQDN. (https://index.docker.io/v1/ for DockerHub)<your-name> is your Docker username.<your-pword> is your Docker password.<your-email> is your Docker email.You have successfully set your Docker credentials in the cluster as a Secret called regcred.
regcredTo understand the contents of the regcred Secret you just created, start by viewing the Secret in YAML format:
kubectl get secret regcred --output=yamlThe output is similar to this:
apiVersion: v1
data:
  .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
kind: Secret
metadata:
  ...
  name: regcred
  ...
type: kubernetes.io/dockerconfigjsonThe value of the .dockerconfigjson field is a base64 representation of your Docker credentials.
To understand what is in the .dockerconfigjson field, convert the secret data to a
readable format:
kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decodeThe output is similar to this:
{"auths":{"yourprivateregistry.com":{"username":"janedoe","password":"xxxxxxxxxxx","email":"jdoe@example.com","auth":"c3R...zE2"}}}To understand what is in the auth field, convert the base64-encoded data to a readable format:
echo "c3R...zE2" | base64 --decodeThe output, username and password concatenated with a :, is similar to this:
janedoe:xxxxxxxxxxxNotice that the Secret data contains the authorization token similar to your local ~/.docker/config.json file.
You have successfully set your Docker credentials as a Secret called regcred in the cluster.
Here is a configuration file for a Pod that needs access to your Docker credentials in regcred:
| pods/private-reg-pod.yaml | 
|---|
|  | 
Download the above file:
wget -O my-private-reg-pod.yaml https://k8s.io/examples/pods/private-reg-pod.yamlIn file my-private-reg-pod.yaml, replace <your-private-image> with the path to an image in a private registry such as:
janedoe/jdoe-private:v1To pull the image from the private registry, Kubernetes needs credentials.
The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regcred.
Create a Pod that uses your Secret, and verify that the Pod is running:
kubectl create -f my-private-reg-pod.yaml
kubectl get pod private-regimagePullSecrets field of PodSpec.