How to use service accounts for Kubernetes imagePullSecrets
Rizwan Khan
Posted on August 12, 2020
What are Service Accounts in Kubernetes?
As per Kubernetes.io - A service account provides an identity for processes that run in a Pod.
One can think of service accounts as service users for pods. They help pods authenticate with the api-server and interact with it.
Many times, we come across a situation where our organization uses a private Docker registry to store the Docker images and to make this available we need to create a docker-registry
kubernetes secret and pass as imagePullSecrets
in the deployment manifest.
kubectl create secret docker-registry registry-cred \
--docker-server=my.private-registry.com \
--docker-username=my_username \
--docker-password="my_superr_strong_password" \
--docker-email=my.email@mycompany.com -n my-namespace
Then, we pass this secret in the deployment manifest as below.
...
imagePullSecrets:
- name: registry-cred
...
The problem with this approach?
Not many that I can think of, except below ones:
- The deployment yaml are generally developed by Developers who doesn't need to know about this credentials
- If there are a large number of pods in the namespace, then each manifest needs to be updated, whenever the password is rotated
The solution
serviceAccounts
- your Kubernetes administrator can just patch serviceAccounts with the registry credential secret and you don't need to worry about replacing or adding it in your manifest yaml each time.
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-cred"}]}' -n my-namespace
Posted on August 12, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.