4

Docker has a mechanism for retrieving Docker registry passwords from a remote store, instead of just storing them in a config file - this mechanism is called a Credentials Store. It has a similar mechanism that are used to retrieve a password for a specific registry called Credential Helpers.

Basically, it involves defining a value in ~/.docker/config.json that is interpreted as the name of an executable.

{
    "credsStore": "osxkeychain"
}

The value of the credsStore key has a prefix docker-credential- pre-pended to it and if that executable (e.g. docker-credential-osxkeychain) exists on the path then it will be executed and is expected to echo the username and password to stdout, which Docker will use to log in to a private registry. The idea is that the executable reaches out to a store and retrieves your password for you, so you don't have to have lots of files laying around in your cluster with your username/password encoded in them.

I can't get a Kubernetes kubelet to make use of this credential store. It seems to just ignore it and when Kubernetes attempts to download from a private registry I get a "no basic auth credentials" error. If I just have a config.json with the username / password in it then kubelet works ok.

Does Kubernetes support Docker credential stores/credential helpers and if so, how do I get them to work?

For reference, kubelet is running through systemd, the credential store executable is on the path and the config.json file is being read.

John
  • 10,837
  • 17
  • 78
  • 141

2 Answers2

5

As of the moment of writing Kubernetes v1.14 does not support credential helpers as per official docs Configuring Nodes to Authenticate to a Private Registry

Note: Kubernetes as of now only supports the auths and HttpHeaders section of docker config. This means credential helpers (credHelpers or credsStore) are not supported.

kasur
  • 1,542
  • 15
  • 15
0

Yes, Kubernetes has the same mechanism called secrets but with extended functionality, and it includes specific secret type called docker-registry. You can create your specific secret with credentials for docker registry:

$ kubectl create secret docker-registry myregistrykey \
 --docker-server=DOCKER_REGISTRY_SERVER \
 --docker-username=DOCKER_USER \
 --docker-password=DOCKER_PASSWORD \
 --docker-email=DOCKER_EMAIL

secret "myregistrykey" created.

and use it:

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: awesomeapps
spec:
  containers:
    - name: foo
      image: janedoe/awesomeapp:v1
  imagePullSecrets:
    - name: myregistrykey
Nick Rak
  • 2,629
  • 13
  • 19
  • 1
    No, this is not the same mechanism at all. The `imagePullSecrets` mechanism you describe means you need to put your secrets in etcd, which is absolutely not the same as putting them in an enterprise-level secrets vault. I also don't see how Kubelet can access things like its infra containers when standing up the cluster by relying on the mechanism you describe. – John Apr 30 '18 at 08:08