CentOS Stream 10
Sponsored Link

Kubernetes : Use Private Registry2025/01/27
 

Configure Private Registry to pull container images from self Private Registry.

This example is based on the environment like follows. 

+----------------------+   +----------------------+
|  [ ctrl.srv.world ]  |   |   [ dlp.srv.world ]  |
|     Manager Node     |   |     Control Plane    |
+-----------+----------+   +-----------+----------+
        eth0|10.0.0.25             eth0|10.0.0.30
            |                          |
------------+--------------------------+-----------
            |                          |
        eth0|10.0.0.51             eth0|10.0.0.52
+-----------+----------+   +-----------+----------+
| [ node01.srv.world ] |   | [ node02.srv.world ] |
|     Worker Node#1    |   |     Worker Node#2    |
+----------------------+   +----------------------+
[1]

On a Node you'd like to run Private Registry Pod,
Configure Registry with basic authentication and HTTPS connection (with valid certificate), refer to here.
On this example, Registry Pod is running on Manager Node.

[2] Add Secret in Kubernetes.
# login to the Registry once with a user

[cent@ctrl ~]$
podman login ctrl.srv.world:5000

Username:
serverworld

Password:
Login Succeeded!
# then following file is generated

[cent@ctrl ~]$
ll /run/user/$(id -u)/containers/auth.json

-rw-------. 1 cent cent 91 Jan 27 10:18 /run/user/1000/containers/auth.json
[cent@ctrl ~]$
AUTH=$(cat /run/user/$(id -u)/containers/auth.json | base64 | tr -d '\n') 

[cent@ctrl ~]$ cat <<EOF > regcred.yml
apiVersion: v1
kind: Secret
data:
  .dockerconfigjson: ${AUTH}
metadata:
  name: regcred
type: kubernetes.io/dockerconfigjson
EOF
[cent@ctrl ~]$
kubectl apply -f regcred.yml

secret "regcred" created
[cent@ctrl ~]$
kubectl get secrets 

NAME      TYPE                             DATA   AGE
regcred   kubernetes.io/dockerconfigjson   1      5s
[3] To pull images from self Private Registry, Specify private image and Secret when deploying pods like follows.
[cent@ctrl ~]$
podman images 

REPOSITORY                 TAG          IMAGE ID      CREATED       SIZE
ctrl.srv.world:5000/nginx  my-registry  9bea9f2796e2  2 months ago  196 MB
docker.io/library/nginx    latest       9bea9f2796e2  2 months ago  196 MB
[cent@ctrl ~]$
vi private-nginx.yml 
apiVersion: v1
kind: Pod
metadata:
  name: private-nginx
spec:
  containers:
  - name: private-nginx
    # image on Private Registry
    image: ctrl.srv.world:5000/nginx:my-registry
  imagePullSecrets:
  # Secret name you added
  - name: regcred
[cent@ctrl ~]$
kubectl create -f private-nginx.yml

pod "private-nginx" created
[cent@ctrl ~]$
kubectl get pods 

NAME            READY   STATUS    RESTARTS   AGE
private-nginx   1/1     Running   0          6s
[cent@ctrl ~]$
kubectl describe pods private-nginx 

Name:             private-nginx
Namespace:        default
Priority:         0
Service Account:  default
Node:             node02.srv.world/10.0.0.52
Start Time:       Mon, 27 Jan 2025 10:36:11 +0900
Labels:           <none>
Annotations:      cni.projectcalico.org/containerID: 4dd4af0f4e827c9a06a9811c2968ee852abf21ee87822321181840bb30c93806
                  cni.projectcalico.org/podIP: 192.168.241.133/32
                  cni.projectcalico.org/podIPs: 192.168.241.133/32
Status:           Running
IP:               192.168.241.133
IPs:
  IP:  192.168.241.133
Containers:
  private-nginx:
    Container ID:   cri-o://c1486b11f07dad83f3ca9dda9d0cd3f7dd1eb94fed55f23742df577b3b293188
    Image:          ctrl.srv.world:5000/nginx:my-registry
    Image ID:       ctrl.srv.world:5000/nginx@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Mon, 27 Jan 2025 10:36:12 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-2dk5s (ro)
.....
.....
Matched Content