5

I try to run my private docker image along with the docker-dind container to be able to run docker commands from the private image in Kubernetes. My only issue is that the docker run command does not read the docker-secrets so fails by requiring to run docker login. How could I pass the credentials to the docker run command?

Here the piece of my Kubernetes deployment:

  containers:
    - name: docker-private
      image: docker:20.10
      command: ['docker', 'run', '-p', '80:8000', 'private/image:latest' ]
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375
      envFrom:
         - secretRef:
             name: docker-secret-keys
    - name: dind-daemon
      image: docker:20.10-dind
      command: ["dockerd", "--host", "tcp://127.0.0.1:2375"]
      resources:
        requests:
          cpu: 20m
          memory: 512Mi
      securityContext:
        privileged: true
      volumeMounts:
        - name: docker-graph-storage
          mountPath: /var/lib/docker

EDIT I do have my certificate as Kubernetes secrets that I try to mount to the running docker but until now without any success :(

apiVersion: v1
data:
  .dockerconfigjson: eyJhXXXXXXdoihfc9w8fwpeojfOFwhfoiuwehfo8wfhoi2ehfioewNlcm5hbWUiOiJlbGRhcmVudGas4hti45ytg45hgiVsZGFXXXXXXyQGVudG9yLmlvIiwiYXV0aCI6IlpXeGtZWEpsYm5SdmNqb3dObVl4WmpjM1lTMDVPRFZrTFRRNU5HRXRZVEUzTXkwMk5UYzBObVF4T0RjeFpUWT0ifX19XXXXXXXXXXX
kind: Secret
metadata:
  name: staging-docker-keys
  namespace: staging
  resourceVersion: "6383"
  uid: a7yduyd-xxxx-xxxx-xxxx-ae2ede3e4ed
type: kubernetes.io/dockerconfigjson

The final goal is to get the "inner docker" (that runs private/image:latest) be able to run any docker command without a need to login before each command.

Noam Elbaz
  • 81
  • 5
  • the docker:dind image is createing a new docker server, how do you get the secret before server created? I am so confuced. where do you get the secret? – yip102011 Sep 06 '22 at 02:20

3 Answers3

4

docker:dind will create ca, server, client cert in /certs. Just create emptyDir volume to share cert.

apiVersion: v1
kind: Pod
metadata:
  name: myapp
  labels:
    name: myapp
spec:
  volumes:
  - name: docker-tls-certdir
    emptyDir: {}
  containers:
    - name: docker-private
      image: docker:20.10
      command: ['docker', 'run', '-p', '80:8000', 'nginx' ]
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375
      volumeMounts:
        - name: docker-tls-certdir
          mountPath: /certs
    - name: dind-daemon
      image: docker:20.10-dind
      command: ["dockerd", "--host", "tcp://127.0.0.1:2375"]
      securityContext:
        privileged: true
      volumeMounts:
        - name: docker-tls-certdir
          mountPath: /certs
yip102011
  • 751
  • 4
  • 11
  • I modify the pod yaml file to mount the `/certs` folder but I still get an access denied. --------------------------------------------- Error response from daemon: pull access denied for entor/docker-runner-api, repository does not exist or may require 'docker login': denied: requested access to the resource is denied – Noam Elbaz Sep 05 '22 at 11:33
  • I tested the yaml, it can use docker command without any modify. Just copy and paste it. – yip102011 Sep 06 '22 at 02:26
  • Yes, of course it works fine. The nginx image is public so no need for authentication. ;) – Noam Elbaz Sep 07 '22 at 14:46
1

Assuming you are not using docker cert authentication, but username and password you may follow the below path:

  • modify docker client image (docker:20.1) entrypoint using command field

  • command may look like below:

    command: ["/bin/sh"]
    args: ["-c", "docker login...;docker run..."]

Sample working pod using the idea:

apiVersion: v1
kind: Pod
metadata:
  name: myapp
  labels:
    name: myapp
spec:
  containers:
  - name: myapp
    image: docker:20.10
    command: ["/bin/sh"]
    args: ["-c", "docker version;docker info"]  
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"

Based on docs

EDIT:

If you do use docker cert authentication, you can have many options:

  • bake the certificates by extending docker client image and using it instead.
  • mount the certificates if you have them as Kubernetes secrets in the cluster ...
rok
  • 9,403
  • 17
  • 70
  • 126
  • Yes, this would work great! Although, I think it would be safer to use the certificated to access the docker images. – Noam Elbaz Sep 05 '22 at 11:05
  • Thanks for the precision! Yes I do have my certificate as Kubernetes secrets that I try to mount to the running docker but until now without any success :( – Noam Elbaz Sep 05 '22 at 11:35
  • apiVersion: v1 data: .dockerconfigjson: eyJdlqndkabsdkjabsdkabdkasndkasnbdknbasdkband,bacb askcbnasldhalsdnlasdnlandlandlandandlandlandlandljeijueou23oerh2ofh2ohfo2hfo2hfo2hfdo2qhfoh2foih2 kind: Secret metadata: name: staging-docker-keys namespace: staging resourceVersion: "6383" uid: a8ad8sad8d-xxxx-xxxx-xxxx-aa6a6s6asd6d6 type: kubernetes.io/dockerconfigjson – Noam Elbaz Sep 05 '22 at 11:37
0

Ok, I finally created an access token on my docker repository and used it to perform the docker login command. It works just fine :)

Noam Elbaz
  • 81
  • 5