I have built a 4 node kubernetes cluster running multi-container pods all running on CoreOS. The images come from public and private repositories. Right now I have to log into each node and manually pull down the images each time I update them. I would like be able to pull them automatically.

1. I have tried running docker login on each server and putting the .dockercfg file in /root and /core
2. I have also done the above with the .docker/config.json
3. I have added secret to the kube master and added imagePullSecrets:
   • name: docker.io to the Pod configuration file.

When I create the pod i get the error message Error:

image <user/image>:latest not found

If I log in and run docker pull it will pull the image. I have tried this using docker.io and quay.io.

Kubernetes supports a special type of secret that you can create that will be used to fetch images for your pods. More details here.

To add to what @rob said, as of docker 1.7, the use of .dockercfg has been deprecated and they now use a ~/.docker/config.json file. There is support for this type of secret in kube 1.1, but you must create it using different keys/type configuration in the yaml:

First, base64 encode your ~/.docker/config.json:

cat ~/.docker/config.json | base64 -w0   

Note that the base64 encoding should appear on a single line so with -w0 we disable the wrapping.

Next, create a yaml file: my-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: registrypullsecret
data:
  .dockerconfigjson: <base-64-encoded-json-here>
type: kubernetes.io/dockerconfigjson

-

$ kubectl create -f my-secret.yaml && kubectl get secrets

NAME                  TYPE                                  DATA
default-token-olob7   kubernetes.io/service-account-token   2
registrypullsecret    kubernetes.io/dockerconfigjson        1

Then, in your pod's yaml you need to reference registrypullsecret or create a replication controller:

apiVersion: v1
kind: Pod
metadata:
  name: my-private-pod
spec:
  containers:
    - name: private
      image: yourusername/privateimage:version
  imagePullSecrets:
    - name: registrypullsecret

If you need to pull an image from a private Docker Hub repository, you can use the following.

Create your secret key

kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

secret "myregistrykey" created.

Then add the newly created key to your Kubernetes service account.

Retrieve the current service account

kubectl get serviceaccounts default -o yaml > ./sa.yaml

Edit sa.yaml and add the ImagePullSecret after Secrets

imagePullSecrets:
- name: myregistrykey

Update the service account

kubectl replace serviceaccount default -f ./sa.yaml

For centos7, the docker config file is under /root/.dockercfg

1. echo $(cat /root/.dockercfg) | base64 -w 0

2. Copy and paste result to secret YAML based on the old format:

   apiVersion:  v1
   kind: Secret
   metadata:
     name: docker-secret
     type: kubernetes.io/dockercfg
   data:
     .dockercfg: <YOUR_BASE64_JSON_HERE> 
   

And it worked for me, hope that could also help.

I can confirm that imagePullSecrets not working with deployment, but you can

kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
kubectl edit serviceaccounts default

Add

imagePullSecrets:
- name: myregistrykey

To the and after Secrets, save and exit. And its works. Tested with Kubernetes 1.6.7