Thursday, November 27, 2025

 

Kubernetes : Use Private Registry

 

Configure Private Registry to pull container images from self Private Registry.

This example is based on the environment like follows.

+----------------------+   +----------------------+
|  [ ctrl.srv.world ]  |   |   [ dlp.srv.world ]  |
|     Manager Node     |   |     Control Plane    |
+-----------+----------+   +-----------+----------+
        eth0|10.0.0.25             eth0|10.0.0.30
            |                          |
------------+--------------------------+-----------
            |                          |
        eth0|10.0.0.51             eth0|10.0.0.52
+-----------+----------+   +-----------+----------+
| [ node01.srv.world ] |   | [ node02.srv.world ] |
|     Worker Node#1    |   |     Worker Node#2    |
+----------------------+   +----------------------+
[1]

On a Node you'd like to run Private Registry Pod,
Configure Registry with basic authentication and HTTPS connection (with valid certificate), refer to here.
On this example, Registry Pod is running on Manager Node.

[2]Add Secret in Kubernetes.
# login to the Registry once with a user

debian@ctrl:~$ 
podman login ctrl.srv.world:5000

Username: 
serverworld

Password:
Login Succeeded!
# then following file is generated

debian@ctrl:~$ 
ll /run/user/$(id -u)/containers/auth.json

-rw------- 1 debian debian 91 Aug 25 09:38 /run/user/1000/containers/auth.json
debian@ctrl:~$ 
AUTH=$(cat /run/user/$(id -u)/containers/auth.json | base64 | tr -d '\n')

debian@ctrl:~$ cat <<EOF > regcred.yml
apiVersion: v1
kind: Secret
data:
  .dockerconfigjson: ${AUTH}
metadata:
  name: regcred
type: kubernetes.io/dockerconfigjson
EOF
debian@ctrl:~$ 
kubectl apply -f regcred.yml

secret "regcred" created
debian@ctrl:~$ 
kubectl get secrets

NAME      TYPE                             DATA   AGE
regcred   kubernetes.io/dockerconfigjson   1      6s
[3]To pull images from self Private Registry, Specify private image and Secret when deploying pods like follows.
debian@ctrl:~$ 
podman images

REPOSITORY                 TAG          IMAGE ID      CREATED      SIZE
ctrl.srv.world:5000/nginx  my-registry  ad5708199ec7  11 days ago  197 MB
docker.io/library/nginx    latest       ad5708199ec7  11 days ago  197 MB
debian@ctrl:~$ 
vi private-nginx.yml
apiVersion: v1
kind: Pod
metadata:
  name: private-nginx
spec:
  containers:
  - name: private-nginx
    # image on Private Registry
    image: ctrl.srv.world:5000/nginx:my-registry
  imagePullSecrets:
  # Secret name you added
  - name: regcred
debian@ctrl:~$ 
kubectl create -f private-nginx.yml

pod "private-nginx" created
debian@ctrl:~$ 
kubectl get pods

NAME            READY   STATUS    RESTARTS   AGE
private-nginx   1/1     Running   0          7s
debian@ctrl:~$ 
kubectl describe pods private-nginx

Name:             private-nginx
Namespace:        default
Priority:         0
Service Account:  default
Node:             node02.srv.world/10.0.0.52
Start Time:       Mon, 25 Aug 2025 09:42:21 +0900
Labels:           <none>
Annotations:      cni.projectcalico.org/containerID: 67bc19aec67b8533b0d07cd8d63d9685d86f472fbf392e8993d10159081377ea
                  cni.projectcalico.org/podIP: 192.168.241.137/32
                  cni.projectcalico.org/podIPs: 192.168.241.137/32
Status:           Running
IP:               192.168.241.137
IPs:
  IP:  192.168.241.137
Containers:
  private-nginx:
    Container ID:   containerd://4f07832ffc618805832a22218b25bdb0379c6c3ae77ca67ea78c4f0c4f7e27dd
    Image:          ctrl.srv.world:5000/nginx:my-registry
    Image ID:       ctrl.srv.world:5000/nginx@sha256:b4382d96eb0bc8686e38c2ff959634aace7e55259824aff494093edc63b31996
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Mon, 25 Aug 2025 09:42:21 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-rvwbs (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True
  Initialized                 True
  Ready                       True
  ContainersReady             True
  PodScheduled                True
Volumes:
  kube-api-access-rvwbs:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    Optional:                false
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  14s   default-scheduler  Successfully assigned default/private-nginx to node02.srv.world
  Normal  Pulling    14s   kubelet            Pulling image "ctrl.srv.world:5000/nginx:my-registry"
  Normal  Pulled     14s   kubelet            Successfully pulled image "ctrl.srv.world:5000/nginx:my-registry" in 50ms (50ms including waiting). Image size: 72324501 bytes.
  Normal  Created    14s   kubelet            Created container: private-nginx
  Normal  Started    14s   kubelet            Started container private-nginx
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)