Grant JWA Access to Private Registry

This guide will walk you through enabling Jupyter Web App (JWA) to create Notebooks using images pulled from a private registry.

What You'll Need

Procedure

  1. Log in to Docker:

    root@rok-tools:~# docker login
    Login with your Docker ID to push and pull images from Docker Hub. If you
    don't have a Docker ID, head over to https://hub.docker.com to create one.
    Username: user
    Password:
    
  2. Logging in to Docker will create or update a config.json file that holds an authorization token. View the file and verify it has the correct format, based on the example output below:

    root@rok-tools:~# cat ~/.docker/config.json
    {
        "auths": {
            "https://index.docker.io/v1/": {
                "auth": "c3R...zE2"
            }
        }
    }
    
  3. Create a Secret based on your existing Docker credentials:

    root@rok-tools:~# kubectl create secret generic regcred \
    > --from-file=.dockerconfigjson=.docker/config.json \
    > --type=kubernetes.io/dockerconfigjson
    secret/regcred created
    
  4. Inspect the Secret to verify that it was created:

    root@rok-tools:~# kubectl get secret regcred --output=yaml
    
  5. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  6. Create a PodDefault using the previously created Secret as imagePullSecret:

    apiVersion: kubeflow.org/v1alpha1
    kind: PodDefault
    metadata:
      name: access-prv-registry
    spec:
      desc: Allow access to private registry
      selector:
        matchLabels:
          registry-pull-secret: "true"
      imagePullSecrets:
      - name: regcred  # < -- Update this line with the name of your Secret.
    

    Note

    Notice the selector.matchLabels field, this PodDefault will be applied to every Pod that contains the label registry-pull-secret: "true" in its spec. Jupyter Web App will now show this new PodDefault in the "Configurations" section.

  7. (Optional) If you want to make the PodDefault selected by default, edit kubeflow/manifests/apps/jupyter/jupyter-web-app/upstream/overlays/deploy/patches/config-map.yaml and append the above label, that is, registry-pull-secret to the existing spawnerFormDefaults.configurations.value list.

  8. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Allow pulling private images when creating Notebooks"
    

    Note

    You must also commit both Secret and PodDefault in your GitOps repository.

  9. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply kubeflow/manifests/apps/jupyter/jupyter-web-app/upstream/overlays/deploy
    
  10. Restart the JWA pod so that it "sees" the change in the jupyter-web-app-config ConfigMap:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n kubeflow -l app.kubernetes.io/name=jupyter-web-app
    

Summary

You have successfully granted JWA access to your private registry.

What's Next

Check out the rest of the operations you can perform on your Kubeflow deployment.