Use a Private Registry with Kubernetes

Use a Private Registry with Kubernetes

March 3, 2020 0 By Eric Shanks

Most of the blog posts I write about Kubernetes have examples using publicly available images from public image registries like DockerHub or Google Container Registry. But in the real world, companies use private registries for storing their container images. There are a list of reasons why you might want to do this including:

  • Custom code is inside the container such as business logic or other intellectual property.
  • On-premises private repos provide solutions to bandwidth or firewall restrictions.
  • Custom scanning software is being integrated for vulnerability management.

In this post, we’ll setup our Kubernetes cluster to be able to use a private container registry.

Setup Kubernetes

For my lab, I’ve deployed Harbor to store some images within my lab and I’ve created certificates on the harbor server. The images in my “hollowlab” project are simple images that I pulled down from a public repo, but should act as my super secret private image with sensitive data within them.

Before I can start working on setting up my cluster, I need to make sure that all of my Kubernetes nodes can securely communicate with my harbor registry. Since I’m using self-signed certificates, I need to make sure my nodes will trust them. So to do this, I copy the certificates into the /etc/ssl/certs directory and afterwards reload/restart the docker daemon so the changes take effect.

Once that step is completed I must login to the docker registry with my username and password.

docker login registry.domain.name -u username -p passwordCode language: CSS (css)

After the login has completed, the docker/config.json file will have a section in it for the registry name and an auth token. Make sure that you’ve logged in to the docker registry and this auth token is present on every node within your Kubernetes cluster. A configuration management tool might come in nicely here to make the changes across a fleet of servers.

Once the k8s nodes are authentication through the container runtime, we use the docker config file to create a Kubernetes secret. Run the command below replacing the path to your config file. NOTE: this requires your KUBECONFIG file to be configured and you can run kubectl commands against your k8s cluster.

kubectl create secret generic regcred --from-file=.dockerconfigjson=[pathToDockerConfigJsonHere] --type=kubernetes.io/dockerconfigjsonCode language: JavaScript (javascript)

Once the secret has been created you are free to use the images located in your private registry, within your deployment files. You will need to insert the “imagePullSecrets” configuration option and reference the secret created above. This is so the cluster can authenticate with the registry properly.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wordpress-deployment
  labels:
    app: wordpress
spec:
  replicas: 2
  selector:
    matchLabels:
      app: wordpress
  template:
    metadata:
      labels:
        app: wordpress
    spec:
      containers:
      - name: ubuntu-container
        image: harbor.hollow.local/hollowlab/wordpress #Your image here
        ports:
        - containerPort: 80
      imagePullSecrets:
      - name: regcredCode language: PHP (php)

Summary

Sometimes it makes sense to have a private registry setup to store code that shouldn’t be available to the whole world. This works fine with Kubernetes, you just have to make sure your container runtime can authenticate with the registry by storing a secret and using this secret in your deployment manifests.