Pods fail to start when pulling an image from a private container registry

Resolution

Private container registries typically secured and require authentication. The pods are failing to start because the secrets for the private container registry have not been configured.

To pull a secured Docker-formatted container image that is not from OpenShift’s integrated registry, create a configuration secret and add it to the service account.

If a .dockercfg file exists for the secured registry, a secret from that file can be created by running:

$ oc secrets new <pull_secret_name> .dockercfg=<path/to/.dockercfg>

If a $HOME/.docker/config.json (for newer docker clients) file exists for the secured registry, a secret from that file can be created by running:

$ oc secrets new <pull_secret_name> .dockerconfigjson=<path/to/.docker/config.json>

If a .dockercfg file does not already exist, create a secret by running:

$ oc secrets new-dockercfg <pull_secret_name> \
    --docker-server=<registry_server> --docker-username=<user_name> \
    --docker-password=<password> --docker-email=<email>

To use a secret for pulling images for pods, add the secret to the service account. The name of the service account in this example should match the name of the service account the pod will use; default is the default service account:

$ oc secrets add serviceaccount/default secrets/<pull_secret_name> --for=pull

To use a secret for pushing and pulling build images, the secret must be mountable inside of a pod. Accomplished by running:

$ oc secrets add serviceaccount/builder secrets/<pull_secret_name>

Reference: Allowing Pods to Reference Images from Other Secured Registries