Kubernetes has a built-in secret mechanism to automatically check-out private repositories from Docker registries. If you have a private repository in Docker, and would like to check-out containers from it, follow the steps in this blog post.

Add a secret with the Docker registry details

Let's add a secret with the Docker repository credentials and connection details, as follows:

kubectl create secret docker-registry [secret name] -n [namespace] --docker-server=https://index.docker.io/v1/ --docker-username=[docker account username] --docker-password=[docker account security token]
                    

Make sure that the docker account token has read only access to your Docker registry. Kubernetes only requires to check out from repositories. If your Kubernetes cluster is compromised by an attacker, you will limit the attack surface by only storing the credentials of a read-only docker account.

In your deployment yaml, add the field “imagePullSecrets”

In each deployment yaml where you have container(s) to check-out from a private Docker repository, you need to specify the field: imagePullSecrets: - name: [secret name]

apiVersion: apps/v1
kind: Deployment
metadata:
  name: reactive-tech-website
spec:
  replicas: 3
  selector:
    matchLabels:
      app: reactive-tech-website
  template:
    metadata:
      labels:
        app: reactive-tech-website
    spec:
      imagePullSecrets:
          - name: [secret name]
      containers:
        - image: reactivetechio/reactive-tech-website:latest
          name: reactive-tech-website
          ports:
            - containerPort: 80
              protocol: TCP