3

I'm using k3s to test my k8s configurations. Sadly, imagePullSecrets seems not to work properly.

I've tested the same configuration in minikube and it works fine.

Example:

I create the secret with:

kubectl create secret generic myreg --from-file=.dockerconfigjson=$HOME/.docker/config.json

And this is a daemonset example:

apiVersion: apps/v1                                                                                                                                                                                                                         
kind: DaemonSet
metadata:
  name: foo
  namespace: default
  labels:
    app: foo
spec:
  selector:
    matchLabels:
      name: foo
  template:
    metadata:
      labels:
        name: foo
    spec:
      imagePullSecrets:
      - name: myreg
      containers:
      - name: foo
        image: whatever/foo:latest

The status stays as ErrImagePull and running describe over the pod it says:

  Normal   BackOff    2s    kubelet, localhost  Back-off pulling image "whatever/foo:latest"
  Warning  Failed     2s    kubelet, localhost  Error: ImagePullBackOff

Why Does it not work?

Gonzalo Matheu
  • 8,984
  • 5
  • 35
  • 58
MagMax
  • 1,645
  • 2
  • 17
  • 26
  • 1
    why do you create a `generic` secret and not a `docker-registry` secret ? check https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod – Yonsy Solis Dec 04 '19 at 20:42
  • hmmmm.... I didn't realized that. Maybe that was my problem. I have to try it. – MagMax Dec 06 '19 at 06:38

2 Answers2

1

Finally I found the answer in the issue Document image preloading.

The imagePullSecrets are not implemented in k3s, but there is an undocumented feature, and you can pull the image manually to get it work.

To do it (as root):

# docker pull whatever/foo:latest
# docker save whatever/foo:latest -o /var/lib/rancher/k3s/agent/images/foo-latest.tgz

And then the image will be "downloaded" and installed into k3s.

Remember to restart k3s after downloading it.

MagMax
  • 1,645
  • 2
  • 17
  • 26
  • 4
    imagePullSecrets works with me with k3s 1.0 (with default options, containerd not docker) and with private repos/registry in Gitlab.com. – Yonsy Solis Dec 04 '19 at 20:39
0

The comment from yonsy-solis solved this for me:

Replace generic with docker-registry:

kubectl create secret docker-registry myreg --from file=.dockerconfigjson=$HOME/.docker/config.json

Note that generic used to work for me in the past. With some update, this must have changed.

(@yonsy-solis, I don't want to take the credit away from you, but this is so useful that I think it should be a proper answer, rather than just comment)

jastram
  • 733
  • 7
  • 19