ContextQMD
Back to Kind

Private Registries

site/content/docs/user/private-registries.md

0.31.03.8 KB
Original Source

Use ImagePullSecrets

Kubernetes supports configuring pods to use imagePullSecrets for pulling images. If possible, this is the preferable and most portable route.

See the upstream kubernetes docs for this, kind does not require any special handling to use this.

If you already have the config file locally but would still like to use secrets, read through kubernetes' docs for creating a secret from a file.

Pull to the Host and Side-Load

kind can load an image from the host with the kind load ... commands. If you configure your host with credentials to pull the desired image(s) and then load them to the nodes you can avoid needing to authenticate on the nodes.

Add Credentials to the Nodes

Generally the upstream docs for using a private registry apply, with kind there are two options for this.

Mount a Config File to Each Node

If you pre-create a docker config.json containing credential(s) on the host you can mount it to each kind node.

Assuming your file is at /path/to/my/secret.json, the kind config would be:

{{< codeFromInline lang="yaml" >}} kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes:

  • role: control-plane extraMounts:
    • containerPath: /var/lib/kubelet/config.json hostPath: /path/to/my/secret.json {{< /codeFromInline >}}

Use an Access Token

A credential can be programmatically added to the nodes at runtime.

If you do this then kubelet must be restarted on each node to pick up the new credentials.

An example shell snippet for generating a gcr.io cred file on your host machine using Access Tokens:

{{< codeFromFile file="static/examples/kind-gcr.sh" >}}

Use a Service Account

Access tokens are short lived, so you may prefer to use a Service Account and keyfile instead. First, either download the key from the console or generate one with gcloud:

gcloud iam service-accounts keys create <output.json> --iam-account <account email>

Then, replace the gcloud auth print-access-token | ... line from the access token snippet with:

cat <output.json> | docker login -u _json_key --password-stdin https://gcr.io

See Google's upstream docs on key file authentication for more details.

Use a Certificate

If you have a registry authenticated with certificates, and both certificates and keys reside on your host folder, it is possible to mount and use them into the containerd plugin patching the default configuration, like in the example:

{{< codeFromInline lang="yaml" >}} kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes:

  • role: control-plane

    This option mounts the host docker registry folder into

    the control-plane node, allowing containerd to access them.

    extraMounts:
    • containerPath: /etc/docker/certs.d/registry.dev.example.com hostPath: /etc/docker/certs.d/registry.dev.example.com

NOTE: the following patch is not necessary with images from kind v0.27.0+

It may enable some older images to work similarly

containerdConfigPatches:

  • |- [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d" {{< /codeFromInline >}}