Kubernetes pull from multiple private docker regis

2020-08-18 05:38发布

问题:

To use a docker container from a private docker repo, kubernetes recommends creating a secret of type 'docker-registry' and referencing it in your deployment.

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

Then in your helm chart or kubernetes deployment file, use imagePullSecrets

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: foo
spec:
  replicas: {{ .Values.replicaCount }}
  template: 
    spec:
      imagePullSecrets:
      - name: regcred
      containers:
      - name: foo
        image: foo.example.com

This works, but requires that all containers be sourced from the same registry.

How would you pull 2 containers from 2 registries (e.g. when using a sidecar that is stored separate from the primary container) ?

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: foo
spec:
  replicas: {{ .Values.replicaCount }}
  template: 
    spec:
      containers:
      - name: foo
        image: foo.example.com
        imagePullSecrets:
        - name: foo-secret
      - name: bar
        image: bar.example.com
        imagePullSecrets:
        - name: bar-secret

I've tried creating 2 secrets foo-secret and bar-secret and referencing each appropriately, but I find it fails to pull both containers.

回答1:

You have to include imagePullSecrets: directly at the pod level, but you can have multiple secrets there.

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: foo
spec:
  replicas: {{ .Values.replicaCount }}
  template: 
    spec:
      imagePullSecrets:
      - name: foo-secret
      - name: bar-secret
      containers:
      - name: foo
        image: foo.example.com/foo-image
      - name: bar
        image: bar.example.com/bar-image

The Kubernetes documentation on this notes:

If you need access to multiple registries, you can create one secret for each registry. Kubelet will merge any imagePullSecrets into a single virtual .docker/config.json when pulling images for your Pods.