Deploying images from a private container registry

You can share access to private container images across multiple Services and Revisions by configuring your Knative cluster to deploy images from a private container registry.

To configure using a private container registry, you must:

  1. Create a list of Kubernetes secrets (imagePullSecrets) by using your registry credentials.
  2. Add those imagePullSecrets to the default service account.
  3. Deploy those configurations to your Knative cluster.

Prerequisites

  • You must have a Kubernetes cluster with Knative Serving installed.
  • You must have access to credentials for the private container registry where your container images are stored.

Procedure

  1. Create a imagePullSecrets object that contains your credentials as a list of secrets:

    1. kubectl create secret docker-registry <registry-credential-secrets> \
    2. --docker-server=<private-registry-url> \
    3. --docker-email=<private-registry-email> \
    4. --docker-username=<private-registry-user> \
    5. --docker-password=<private-registry-password>

    Where:

    • <registry-credential-secrets> is the name that you want to use for your secrets (the imagePullSecrets object). For example, container-registry.

    • <private-registry-url> is the URL of the private registry where your container images are stored. Examples include Google Container Registry or DockerHub.

    • <private-registry-email> is the email address that is associated with the private registry.

    • <private-registry-user> is the username that you use to access the private container registry.

    • <private-registry-password> is the password that you use to access the private container registry.

    Example:

    1. kubectl create secret docker-registry container-registry \
    2. --docker-server=https://gcr.io/ \
    3. --docker-email=my-account-email@address.com \
    4. --docker-username=my-grc-username \
    5. --docker-password=my-gcr-password

    Tip

    After you have created the imagePullSecrets object, you can view the secrets by running:

    1. kubectl get secret <registry-credential-secrets> -o=yaml
  2. Add the imagePullSecrets to the default service account in the default namespace.

    Note

    By default, the default service account in each of the namespaces of your Knative cluster are used by your Revisions, unless the serviceAccountName is specified.

    For example, if have you named your secrets container-registry, you can run the following command to modify the default service account:

    1. kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"container-registry\"}]}"

    New pods that are created in the default namespace now include your credentials and have access to your container images in the private registry.