CentOS Stream 9
Sponsored Link

Kubernetes : Use Private Registry2025/05/20

 

Configure Private Registry to pull container images from self Private Registry.

This example is based on the environment like follows.

+----------------------+   +----------------------+
|  [ ctrl.srv.world ]  |   |   [ dlp.srv.world ]  |
|     Manager Node     |   |     Control Plane    |
+-----------+----------+   +-----------+----------+
        eth0|10.0.0.25             eth0|10.0.0.30
            |                          |
------------+--------------------------+-----------
            |                          |
        eth0|10.0.0.51             eth0|10.0.0.52
+-----------+----------+   +-----------+----------+
| [ node01.srv.world ] |   | [ node02.srv.world ] |
|     Worker Node#1    |   |     Worker Node#2    |
+----------------------+   +----------------------+

[1]

On a Node you'd like to run Private Registry Pod,
Configure Registry with basic authentication and HTTPS connection (with valid certificate), refer to here.
On this example, Registry Pod is running on Manager Node.

[2] Add Secret in Kubernetes.
# login to the Registry once with a user

[cent@ctrl ~]$
podman login ctrl.srv.world:5000

Username:
serverworld

Password:
Login Succeeded!
# then following file is generated

[cent@ctrl ~]$
ll /run/user/$(id -u)/containers/auth.json

-rw-------. 1 cent cent 91 May 20 13:12 /run/user/1000/containers/auth.json
[cent@ctrl ~]$
AUTH=$(cat /run/user/$(id -u)/containers/auth.json | base64 | tr -d '\n')

[cent@ctrl ~]$ cat <<EOF > regcred.yml
apiVersion: v1
kind: Secret
data:
  .dockerconfigjson: ${AUTH}
metadata:
  name: regcred
type: kubernetes.io/dockerconfigjson
EOF 

[cent@ctrl ~]$
kubectl apply -f regcred.yml

secret "regcred" created
[cent@ctrl ~]$
kubectl get secrets

NAME      TYPE                             DATA   AGE
regcred   kubernetes.io/dockerconfigjson   1      5s
[3] To pull images from self Private Registry, Specify private image and Secret when deploying pods like follows.
[cent@ctrl ~]$
podman images

REPOSITORY                 TAG          IMAGE ID      CREATED      SIZE
ctrl.srv.world:5000/nginx  my-registry  a830707172e8  4 weeks ago  197 MB
docker.io/library/nginx    latest       a830707172e8  4 weeks ago  197 MB

[cent@ctrl ~]$
vi private-nginx.yml
apiVersion: v1
kind: Pod
metadata:
  name: private-nginx
spec:
  containers:
  - name: private-nginx
    # image on Private Registry
    image: ctrl.srv.world:5000/nginx:my-registry
  imagePullSecrets:
  # Secret name you added
  - name: regcred

[cent@ctrl ~]$
kubectl create -f private-nginx.yml

pod "private-nginx" created
[cent@ctrl ~]$
kubectl get pods

NAME            READY   STATUS    RESTARTS   AGE
private-nginx   1/1     Running   0          5s

[cent@ctrl ~]$
kubectl describe pods private-nginx

Name:             private-nginx
Namespace:        default
Priority:         0
Service Account:  default
Node:             node01.srv.world/10.0.0.51
Start Time:       Tue, 20 May 2025 13:16:29 +0900
Labels:           <none>
Annotations:      cni.projectcalico.org/containerID: 47baf590e146fba139f9431e35dea72e04d49323f496341ebdfcb5bc387bfd92
                  cni.projectcalico.org/podIP: 192.168.40.204/32
                  cni.projectcalico.org/podIPs: 192.168.40.204/32
Status:           Running
IP:               192.168.40.204
IPs:
  IP:  192.168.40.204
Containers:
  private-nginx:
    Container ID:   cri-o://af0370323e7b99d1b09f01a2ffed2a39a3f750bd0fbbfc0ffe35f09d9ca24502
    Image:          ctrl.srv.world:5000/nginx:my-registry
    Image ID:       ctrl.srv.world:5000/nginx@sha256:82e6a071627fc52d9777dcc8696d3934969250fd219ea88906104b25165cb136
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Tue, 20 May 2025 13:16:30 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-f7kxn (ro)
.....
.....
Matched Content