Search code examples
dockerkubernetesdockerhub

Is there a way to configure docker hub pro user in kubernetes?

We've just bought a docker hub pro user so that we don't have to worry about pull rate limits.

Now, I'm currently having a problem trying to to set the docker hub pro user. Is there a way to set the credentials for hub.docker.com globally?

In the kubernetes docs I found following article: Kubernetes | Configure nodes for private registry

On every node I executed a docker login with the credentials, copied the config.json to /var/lib/kubelet and restarted kubelet. But I'm still getting an ErrImagePull because of those rate limits.

I've copied the config.json to the following places:

  • /var/lib/kubelet/config.json
  • /var/lib/kubelet/.dockercfg
  • /root/.docker/config.json
  • /.docker/config.json

There is an option to use a secret for authentification. The problem is, that we would need to edit hundreds of statefulsets, deployments and deamonsets. So it would be great to set the docker user globally.

Here's the config.json:

{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "[redacted]"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.13 (linux)"
        }
}

To check if it actually logs in with the user I've created an access token in my account. There I can see the last login with said token. The last login was when I executed the docker login command. So the images that I try to pull aren't using those credentials.

Any ideas?

Thank you!

Solution

  • Kubernetes implements this using image pull secrets. This doc does a better job at walking through the process.

    Using the Docker config.json:

    kubectl create secret generic regcred \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

    Or you can pass the settings directly:

    kubectl create secret docker-registry <name> --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

    Then use those secrets in your pod definitions:

    apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey

    Or to use the secret at a user level (Add image pull secret to service account)

    1. kubectl get serviceaccounts default -o yaml > ./sa.yaml

    2. open the sa.yaml file, delete line with key resourceVersion, add lines with imagePullSecrets: and save.

      kind: ServiceAccount
metadata:
  creationTimestamp: "2020-11-22T21:41:53Z"
  name: default
  namespace: default
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: afad07eb-f58e-4012-9ccf-0ac9762981d5
secrets:
- name: default-token-gkmp7
imagePullSecrets:
- name: regcred

    3. Finally replace the serviceaccount with the new updated sa.yaml file kubectl replace serviceaccount default -f ./sa.yaml