How to pass image pull secret while using 'kubectl run' command?
I am trying to use kubectl run command to pull an image from private registry and run a command from that. But I don't see an option to specify image pull secret. It looks like it is not possible to pass image secret as part for run command.
Is there any alternate option to pull a container and run a command using kubectl? The command output should be seen on the console. Also once the command finishes the pod should die.
You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:
--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'
for example
kubectl run -i -t hello-world --rm --generator=run-pod/v1 \
--image=eu.gcr.io/your-registry/hello-world \
--image-pull-policy="IfNotPresent" \
--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'
You could create the docker-registry
secret as described at @MarkO'Connor's link, then add it to the default ServiceAccount. It's the SA that acts on the behalf of pods, including pulling their images.
From Adding ImagePullSecrets to a service account:
$ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● [email protected]
secret "myregistrykey" created
$ kubectl get serviceaccounts default -o yaml > ./sa.yaml
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
resourceVersion: "243024"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "imagePullSecret:"]
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-08-07T22:02:39Z
name: default
namespace: default
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets:
- name: myregistrykey
$ kubectl replace serviceaccount default -f ./sa.yaml
Now, any new pods created in the current namespace will have this added to their spec:
spec:
imagePullSecrets:
- name: myregistrykey
Usually when you need kubectl run
it's because you're testing something temporary, in a namespace that already has the docker registry secret to access the private registry. So the simplest is to edit the default service account to give it the pull secret to use when a pull secret is not present (which will be the case for kubectl run
):
kubectl edit serviceaccount default
The edit will show something similar to this:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-04-16T14:48:17Z"
name: default
namespace: integration-testing
resourceVersion: "60516585"
selfLink: /api/v1/namespaces/integration-testing/serviceaccounts/default
uid: ab7b767d-6056-11e9-bba8-0ecf3bdac4a0
secrets:
- name: default-token-4nnk4
Just append an imagePullSecrets
:
imagePullSecrets:
- name: <name-of-your-docker-registry-password-secret>
so it will look like this:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2019-04-16T14:48:17Z"
name: default
namespace: integration-testing
resourceVersion: "60516585"
selfLink: /api/v1/namespaces/integration-testing/serviceaccounts/default
uid: ab7b767d-6056-11e9-bba8-0ecf3bdac4a0
secrets:
- name: default-token-4nnk4
imagePullSecrets:
- name: <name-of-your-docker-registry-password-secret>
Say name is YOUR_PWD_SECRET
, then this secret must exist in the kubectl context's namespace:
tooluser:/host $ kubectl get secret YOUR_PWD_SECRET
NAME TYPE DATA AGE
YOUR_PWD_SECRET kubernetes.io/dockerconfigjson 1 186d
If it doesn't exist you must create it, either from scratch or copy it from another namespace (best way to do that is answer by NicoKowe at https://stackoverflow.com/a/58235551/869951).
With a secret holding your docker registry password, the secret in the same namespace where the kubectl run
will execute, and with a default service account that lists the secret as imagePullSecrets, the kubectl run
will work.
On Windows, you can do patch
, but as it shows a JSON error, you have to do this trick (using PowerShell):
> $imgsec= '{"imagePullSecrets": [{"name": "myregistrykey"}]}' | ConvertTo-Json
> kubectl patch serviceaccount default -p $imgsec
Also , if you want to update/ append imagePullSecret , then you should be using something like this :
> $imgsec= '[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"myregistrykey2"}}]' | ConvertTo-Json
> kubectl patch serviceaccount default --type='json' -p $imgsec
.
As far as I know you cannot, but you can use kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }'
, but this is not very different from what you can do with kubectl create -f mypod.json
What I think you're after is not a Pod
but a Job
, for example, if you need to populate a database, you can create a container that does that, and run it as a job instead of a pod or replica set.
Kubectl run ...
creates deploymentor
job` objects. Jobs finish when the pod execution terminates and you can check the logs.
Take a look here and here for the termination