Configuring Nodes to Authenticate to a Private Registry
Note: Kubernetes as of now only supports the auths and HttpHeaders section of docker config. This means credential helpers (credHelpers or credsStore) are not supported.
Docker stores keys for private registries in the $HOME/.dockercfg or $HOME/.docker/config.json file. If there are files in the search paths list below, kubelet uses it as the credential provider when pulling images.
- {–root-dir:-/var/lib/kubelet}/config.json
- {cwd of kubelet}/config.json
- ${HOME}/.docker/config.json
- /.docker/config.json
- {–root-dir:-/var/lib/kubelet}/.dockercfg
- {cwd of kubelet}/.dockercfg
- ${HOME}/.dockercfg
- /.dockercfg
~/.docker/config.json
"auths": {
"registry.cn-hangzhou.aliyuncs.com": {
"auth": "d3ViaWdvOjEyMzEyMwo="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/17.03.3-ce (linux)"
}
convert the base64-encoded auth data to a readable format
echo "d3ViaWdvOjEyMzEyMwo=" | base64 --decodenodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}') for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/