Set Up Cluster-Wide Authenticated Access to a Docker Registry¶
This section describes a way to provide an existing Kubernetes cluster with
authenticated access to a Docker Registry using a
private-registry-docker), thus avoiding using
under each Kubernetes node with a user-specified Docker JSON configuration
file, thus providing cluster-wide authenticated access to the Docker Registry.
You may want authenticated access to a Docker Registry for the following reasons:
- The Docker Registry is private.
- The Docker Registry has rate-limiting when not authenticated.
What You'll Need¶
The requirements to provide cluster-wide authenticated access to a Docker Registry depend on the type of your Docker Registry. Choose one of the following options:
Patch the kustomization to use the mirrored images. To do so, run:
root@rok-tools:/# rok-image-patch \
> --kustomizations ~/ops/deployments/rok/private-registry-docker/overlays/deploy
follow the on-screen instructions and provide any necessary input.
Go to your GitOps repository, inside your rok-tools management environment:
root@rok-tools:/# cd ~/ops/deployments
Copy your Docker JSON configuration file under your clone of the GitOps repository. Choose one of the following options, based on the type of the Docker Registry.
Stage the changes in the
root@rok-tools:~/ops/deployments# git add rok/private-registry-docker/overlays/deploy
Commit the changes:
root@rok-tools:~/ops/deployments# git commit -m \ > "Set up cluster-wide authenticated access to our Docker Registry"
Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > rok/private-registry-docker/overlays/deploy
Ensure that the
DaemonSetis running. Verify that field STATUS is Running and field READY is 1/1:
root@rok-tools:/# kubectl get pods -l app=private-registry-docker NAME READY STATUS RESTARTS AGE private-registry-docker-9tgj2 1/1 Running 0 6h12m
Ensure that the
DaemonSethas properly mounted the Docker JSON configuration file to the host:
root@rok-tools:/# kubectl exec ds/private-registry-docker \ > ls /host/var/lib/kubelet/config.json /host/var/lib/kubelet/config.json
Ensure there are no Pods with images from the Docker Registry that fail with
ImagePullBackOff, that is, the following command produces no output:
root@rok-tools:/# kubectl get pods -A | grep ImagePullBackOff
There are Pods in
- Ensure these Pods use images from the Docker Registry you granted authenticated access to.
- Wait a few minutes for
kubeletto use the new credentials, since it caches them.
- Try to start a container from an image in your Docker Registry using kubectl run.
You have successfully configured your Kubernetes cluster to have authenticated access to a Docker Registry.