Kubernetes cluster-wide access to private container registry with imagepullsecret-patcher

Jiang Huan
Dec 31, 2019 · 3 min read

TL;DR

Kubernetes allows us to configure private container registry credentials with imagePullSecrets on a per Pod or per Namespace basis. However, as cluster admins, we might want to reduce time spent on maintenance work and complete it once and for all.

We open-sourced a simple Kubernetes application called imagepullsecret-patcher, which automatically creates and patches imagePullSecrets to default service accounts in all Kubernetes namespaces to allow cluster-wide authenticated access to private container registry.

Photo by Daniel von Appen on Unsplash

Background

Recently in Titansoft, we built a couple of on-premise Kubernetes clusters and started to run workloads on them. The clusters need to access our private container registry on Google Cloud to pull our private docker images.

We can do so by first creating a Kubernetes Secret with the docker config.

As a side note, Google Container Registry (GCR) supports JSON key file authenication method, which uses _json_key as username, and service account private key content as password.

Next, there are two ways to use the image-pull-secret we have just created.

We went for the second approach, so that cluster admins only need to do it once per namespace, and developers can also avoid adding extras lines in their Deployment definitions.

However, we expect new namespaces to be created very often and this would become a burden to our cluster admins, as they would need to perform this task repetitively when a new namespace is added to the clusters.

Therefore in view of the benefits of automation, we built this small Kubernetes application with client-go.

Implementation

Here is a diagram showing the workflow of the imagepullsecret-patcher. For more details, please refer to the GitHub repo.

See it in action

After it is deployed to our Kubernetes clusters, we can see it in action!

As seen from the last two logs in this screenshot, when a new namespace called compliance was created, it automatically performed the task, by creating a secret in the namespace and patching the default service account.

When the teams started deploying their applications in the namespace, they had been already authenticated to our private registry without issue.

Titansoft ❤️ Open Source

🌐 The source code and a deploy-example are available on GitHub.
❤️ As our first open-source project, we welcome your feedback and suggestions!
💬 Please feel free to open issues or submit pull requests.

Hopefully, you find this useful!

Stories from our engineering teams.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store