How can I configure kubernetes so that it can pull images from the private registry which needs basic authentication?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux Atomic Host 7.1
  • Private docker registry that needs authentication before images can be pulled
  • Kubernetes 0.9.0-0.3.git96af0c3.el7 (shipped with Red Hat Enterprise Linux Atomic Host 7.1)

Issue

  • How to configure kubernetes so that it can pull images from private registry which needs basic authentication ?
  • docker is not recognizing /root/.dockercfg file while launching pods

  • kubectl create -f pod.yaml fails. Following message is seen in the minion


    Jan XX XXXXX rhel-minion docker: Authentication is required.
Jan XX XXXXX rhel-minion kubelet: E0120 18:37:21.383811    1544 kubelet.go:761] Failed to pull image registry.customer.com/xx/xxx: Authentication is required.; skipping pod xxx.default.etcd container xxx.
  • Kubelet fails to pull the image from private registry that needs authentication

Resolution

Creating .dockercfg file

1. Get the auth string using the username and password.

echo "USERNAME:PASSWORD" | base64

2. Create .dockercfg file and follow the below syntax [Replace docker-registry-url, auth and email appropriately]

{
     "docker-registry-url": {
             "auth": "use the string output from step 1 ",
             "email": "email@example.com"
     }
}

With Kubernetes-0.9.0-0.3.git96af0c3.el7

Create the .dockercfg under /var/lib/kubelet/ directory. No other changes required. Restart kubelet service using the command

systemctl restart kubelet

Root Cause

With the previous versions of Kubernetes < 0.9.0-0.3.git96af0c3.el7, kubernetes required the .dockercfg file to be created under / root. / is read only in Red Hat Enterprise Linux Atomic Host. With Kubernetes-0.9.0-0.3.git96af0c3.el7 .dockercfg file should be created under /var/lib/kubelet/ directory and no other changes are required. WorkingDirectory directive was changed or hardcoded as /var/lib/kubelet/ in the kubelet.service file

Diagnostic Steps

  1. After launching the pod, review the logs using journalctl

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments