How to use service accounts for Kubernetes imagePullSecrets

rizwankh_24

Rizwan Khan

Posted on August 12, 2020

How to use service accounts for Kubernetes imagePullSecrets

What are Service Accounts in Kubernetes?

As per Kubernetes.io - A service account provides an identity for processes that run in a Pod.

One can think of service accounts as service users for pods. They help pods authenticate with the api-server and interact with it.

Many times, we come across a situation where our organization uses a private Docker registry to store the Docker images and to make this available we need to create a docker-registry kubernetes secret and pass as imagePullSecrets in the deployment manifest.

kubectl create secret docker-registry registry-cred \
 --docker-server=my.private-registry.com \
 --docker-username=my_username \
 --docker-password="my_superr_strong_password" \
 --docker-email=my.email@mycompany.com -n my-namespace

Then, we pass this secret in the deployment manifest as below.

...
      imagePullSecrets:
      - name: registry-cred
...

The problem with this approach?

Not many that I can think of, except below ones:

  • The deployment yaml are generally developed by Developers who doesn't need to know about this credentials
  • If there are a large number of pods in the namespace, then each manifest needs to be updated, whenever the password is rotated

The solution

serviceAccounts - your Kubernetes administrator can just patch serviceAccounts with the registry credential secret and you don't need to worry about replacing or adding it in your manifest yaml each time.

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-cred"}]}' -n my-namespace
💖 💪 🙅 🚩
rizwankh_24
Rizwan Khan

Posted on August 12, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related