Geek Answers Handbook

How to pass image secret when using the "kubectl run" command?

I am trying to use the kubectl run command to pull an image from a private registry and run a command from it. But I don’t see the possibility to indicate hiding the image. It seems that it is not possible to convey the secret image as part of the run command.

Is there an alternative option to pull out the container and run the command using kubectl? The output of the command should be displayed on the console. Also, as soon as the team finishes, the pod must die.

+11
kubernetes kubectl
source share
4 answers

You can use overrides if you specify it correctly, this is the array at the end that understood me a little, below it works on Kubernet for at least 1.6:

--overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "your-secret"}] } }'

eg

kubectl run -i -t hello-world --restart=Never --rm=true \ --image=eu.gcr.io/your-registry/hello-world \ --overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } }'

+7
source share

You can create a docker-registry secret, as described in the @ MarkO'Connor link, and then add it to ServiceAccount by default. This is an SA that acts on behalf of the pods, including pulling their images.

From Adding ImagePullSecrets to a Service Account :

 $ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● --docker-email=jdoe@example.com secret "myregistrykey" created $ kubectl get serviceaccounts default -o yaml > ./sa.yaml $ cat sa.yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2015-08-07T22:02:39Z name: default namespace: default resourceVersion: "243024" selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 secrets: - name: default-token-uudge $ vi sa.yaml [editor session not shown] [delete line with key "resourceVersion"] [add lines with "imagePullSecret:"] $ cat sa.yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: 2015-08-07T22:02:39Z name: default namespace: default selfLink: /api/v1/namespaces/default/serviceaccounts/default uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 secrets: - name: default-token-uudge imagePullSecrets: - name: myregistrykey $ kubectl replace serviceaccount default -f ./sa.yaml

Now, any new modules created in the current namespace will be added to their specification:

 spec: imagePullSecrets: - name: myregistrykey
+14
source share

As far as I know, you cannot, but you can use kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }' , but it’s not much different than what you can do with kubectl create -f mypod.json

I think that you do not need Pod , but Job , for example, if you need to fill the database, you can create a container that does this and run it as a task instead of a set of strings or replicas.

Kubectl run ... creates deployment objects or job`. Jobs end when the package completes and you can check the logs.

Look here and here to complete.

+2
source share

On Windows, you can do a patch , but since it shows a JSON error, you should do this trick (using PowerShell):

 > $imgsec= '{"imagePullSecrets": [{"name": "myregistrykey"}]}' | ConvertTo-Json > kubectl patch serviceaccount default -p $imgsec

Also, if you want to update / add imagePullSecret, you should use something like this:

 > $imgsec= '[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"myregistrykey2"}}]' | ConvertTo-Json > kubectl patch serviceaccount default --type='json' -p $imgsec

,

+1
source share

More articles:


All Articles