Deploying images from a private container registry

You can configure your Knative cluster to deploy images from a private registry across multiple Services and Revisions. To do this, you must create a list of Kubernetes secrets (imagePullSecrets) by using your registry credentials. You must then add those secrets to the default service account for all Services, or the Revision template for a single Service.

Prerequisites

  • You must have a Kubernetes cluster with Knative Serving installed.
  • You must have access to credentials for the private container registry where your container images are stored.

Procedure

  1. Create a imagePullSecrets object that contains your credentials as a list of secrets:

    1. kubectl create secret docker-registry <registry-credential-secrets> \
    2. --docker-server=<private-registry-url> \
    3. --docker-email=<private-registry-email> \
    4. --docker-username=<private-registry-user> \
    5. --docker-password=<private-registry-password>

    Where:

    • <registry-credential-secrets> is the name that you want to use for your secrets (the imagePullSecrets object). For example, container-registry.

    • <private-registry-url> is the URL of the private registry where your container images are stored. Examples include Google Container Registry or DockerHub.

    • <private-registry-email> is the email address that is associated with the private registry.

    • <private-registry-user> is the username that you use to access the private container registry.

    • <private-registry-password> is the password that you use to access the private container registry.

    Example:

    1. kubectl create secret docker-registry container-registry \
    2. --docker-server=https://gcr.io/ \
    3. --docker-email=my-account-email@address.com \
    4. --docker-username=my-grc-username \
    5. --docker-password=my-gcr-password
  2. Optional. After you have created the imagePullSecrets object, you can view the secrets by running:

    1. kubectl get secret <registry-credential-secrets> -o=yaml
  3. Optional. Add the imagePullSecrets object to the default service account in the default namespace.

    Note

    By default, the default service account in each of the namespaces of your Knative cluster are used by your Revisions, unless the serviceAccountName is specified.

    For example, if have you named your secrets container-registry, you can run the following command to modify the default service account:

    1. kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"container-registry\"}]}"

    New pods that are created in the default namespace now include your credentials and have access to your container images in the private registry.

  4. Optional. Add the imagePullSecrets object to a Service:

    1. apiVersion: serving.knative.dev/v1
    2. kind: Service
    3. metadata:
    4. name: hello
    5. spec:
    6. template:
    7. spec:
    8. imagePullSecrets:
    9. - name: <secret-name>
    10. containers:
    11. - image: ghcr.io/knative/helloworld-go:latest
    12. ports:
    13. - containerPort: 8080
    14. env:
    15. - name: TARGET
    16. value: "World"