Search code examples
kubernetesdocker-registryk3s

K3S: How to authenticate with hub.docker.com too pull private images?

I have a Kubernetes cluster setup with K3s and I want to pull from the registry located at hub.docker.com. This is no problem when trying to pull public images, but when I am trying to pull the private images from hub.docker.com. It can't find them.

I already tried and create a secret regcred with my Docker login information (see here) and added it with the imagePullSecrets. But that doesn't seem to work.

How can I tell my K3s cluster to authenticate with the private part of hub.docker.com allowing me to pull private images in a Deployment?

Thanks

Here is my full manifest:

apiVersion: v1
kind: Namespace
metadata:
  name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  namespace: example
spec:
  replicas: 2
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
    spec:
      containers:
        - name: example
          image: example/example:latest
          ports:
            - containerPort: 80
          imagePullPolicy: Always
      imagePullSecrets:
        - name: regcred
---
apiVersion: v1
kind: Service
metadata:
  name: example
  namespace: example
spec:
  ports:
    - port: 80
      targetPort: 80
      name: tcp
  selector:
    app: example
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example
  namespace: example
  annotations:
    kubernetes.io/ingress.class: "traefik"
    kubernetes.io/tls-acme: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    ingress.kubernetes.io/ssl-temporary-redirect: "true"
    ingress.kubernetes.io/ssl-host: "example.com"
    traefik.frontend.rule.type: PathPrefixStrip
    traefik.ingress.kubernetes.io/redirect-regex: "^https://example.com(.*)"
    traefik.ingress.kubernetes.io/redirect-replacement: "https://www.example.com/$1"
spec:
  rules:
    - host: "example.com"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: example
                port:
                  number: 80
    - host: "www.example.com"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: example
                port:
                  number: 80

Regcred is looking like this:

{"auths":{"https://index.docker.io/v1/":{"username":"example","password":"secret","email":"[email protected]","auth":"dm...g5"}}}%

Pod status:

NAME                        READY   STATUS             RESTARTS   AGE
example-688b97d5d7-q9ngl    0/1     ImagePullBackOff   0          101s

When running the command kubectl describe pod example-688b97d5d7-q9ngl gives me:

Failed to pull image "example/example:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/example/example:latest": failed to resolve reference "docker.io/example/example:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Solution

  • Thanks for all the help everyone. The problem was that I didn't create the regcred secret for the specific namespace. When I did that, everything worked instantly.