Grant JWA Access to Private Registry

This guide will walk you through enabling Jupyter Web App (JWA) to create Notebooks using images pulled from a private registry.

What You'll Need


  1. Log in to Docker:

    root@rok-tools:~# docker login
    Login with your Docker ID to push and pull images from Docker Hub. If you
    don't have a Docker ID, head over to to create one.
    Username: user
  2. Logging in to Docker will create or update a config.json file that holds an authorization token. View the file and verify it has the correct format, based on the example output below:

    root@rok-tools:~# cat ~/.docker/config.json
        "auths": {
            "": {
                "auth": "c3R...zE2"
  3. Create a Secret based on your existing Docker credentials:

    root@rok-tools:~# kubectl create secret generic regcred \
    > --from-file=.dockerconfigjson=.docker/config.json \
    secret/regcred created
  4. Inspect the Secret to verify that it was created:

    root@rok-tools:~# kubectl get secret regcred --output=yaml
  5. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  6. Create a PodDefault using the previously created Secret as imagePullSecret:

    kind: PodDefault
      name: access-prv-registry
      desc: Allow access to private registry
          registry-pull-secret: "true"
      - name: regcred  # < -- Update this line with the name of your Secret.


    Notice the selector.matchLabels field, this PodDefault will be applied to every Pod that contains the label registry-pull-secret: "true" in its spec. Jupyter Web App will now show this new PodDefault in the "Configurations" section.

  7. (Optional) If you want to make the PodDefault selected by default, edit kubeflow/manifests/apps/jupyter/jupyter-web-app/upstream/overlays/deploy/patches/config-map.yaml and append the above label, that is, registry-pull-secret to the existing spawnerFormDefaults.configurations.value list.

  8. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Allow pulling private images when creating Notebooks"


    You must also commit both Secret and PodDefault in your GitOps repository.

  9. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/apps/jupyter/jupyter-web-app/upstream/overlays/deploy
  10. Restart the JWA pod so that it "sees" the change in the jupyter-web-app-config ConfigMap:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n kubeflow -l


You have successfully granted JWA access to your private registry.

What's Next

Check out the rest of the operations you can perform on your Kubeflow deployment.