Docker Hub private repository with Kubernetes

For information about how to pull from other private registries, see the following topics:

• Google Cloud Registry (GCR) with external Kubernetes
• Amazon EC2 Container Registry (ECR) with Kubernetes

To connect to a private repository on Docker Hub, you add an ImagePullSecrets field to the configuration for a Kubernetes service account. This is a type of Kubernetes secret that contains credential information.

Before you start, make sure that you have your Docker credentials available. Note that kubectl create secret requires docker-email, although Docker Hub has deprecated it.

First, create a secret that contains your Docker credentials:

SECRETNAME=varSecretName
USERNAME=varDockerUsername
PW=varDockerPassword
EMAIL=varDockerEmail

kubectl create secret docker-registry $SECRETNAME \
  --docker-username=$USERNAME \
  --docker-password=$PW \
  --docker-email=$EMAIL

You can now add the secret to your Kubernetes configuration. You can add it to the default service account with the following command:

kubectl patch serviceaccount default \
  -p "{\"imagePullSecrets\": [{\"name\": \"$SECRETNAME\"}]}"

If you work with only the default service account, then all pods in the namespace pull images from the private registry. This is the case whether or not you explicitly specify the service account in the pod spec. If you work with multiple service accounts, each service account must provide the appropriate imagePullSecrets value. For more information, see the Kubernetes documentation on service accounts.

After you run kubectl patch to add your imagePullSecrets value, the YAML for the default service account looks like the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
imagePullSecrets:
  - name: your_secret_name

Or you can specify the imagePullSecrets value on individuals pods. The YAML for this approach might look like the following:

apiVersion: v1
kind: Pod
metadata:
  name: <your_pod_name>
spec:
  containers:
    - name: your_container_name
      image: <your_docker_username>/<your_private_repository_name>:<your_tagname>
  imagePullSecrets:
      - name: your_secret_name