Sometimes we need to deploy some Pods with images uploaded to a private Docker Registry, this is very useful for internal deployments of private projects. When we use a solution managed by our cloud provider this task becomes so easy, but when we have to deal with different cloud providers or an external registry like in my case, the procedure gets more difficult.

In this post I'm going to explain how to set up our cluster for pulling those images which are uploaded to an external Docker Registry.

Creating a Secret with the authentication details

First, we need to authenticate with the Docker CLI:

docker login <registry-url>

this command will create a new entry inside the file ~/.docker/config.json

And it will be similar to this one:

        "auths": {
                "": {
                        "auth": "bWF...Fo0TA=="
                "": {
                        "auth": "cWF...w=="

We need to populate a Secret resource inside the Kubernetes cluster:

kubectl create secret generic -n <targe-namespace> <secret-name> \
    --from-file=.dockerconfigjson=~/.docker/config.json \
Creating K8s Secret

This will create a Secret with the content of the docker config.json file encoded with base64. It's important to create the Secret in the namespace where're going to deploy the private image.

We can verify the Secret creation with the following command:

kubectl get secret <secret-name> -n <namespace> --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
Verifying Secret creation

Patching the namespace Service Account

In order to allow the authentication against the private registry we need to patch the default Service Account of the namespace with the imagePullSecrets entry.

 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "<name-of-the-secret-previously-created>"}]}' -n <namespace>

We're ready to pull images from the private registry!

Happy deployment!