Kind: Pulling images from private repo using imagePullSecrets does not work

1) What did you use to create the secret?

This is a Kubernetes feature not specific to kind.

2) Does the node have connectivity to the registry? Can you exec to one and ping it or similar?

Private registries are known to generally work with kind and we actually have our own docs with more options https://kind.sigs.k8s.io/docs/user/private-registries/

I just tested this with a private registry in quay.io.

Kind version: v0.5.1

The image quay.io/o0o/nginx:stable is private. I can verify that by execing into the kind node and do a crictl pull:

09:18 $ docker exec -ti kind-control-plane bash
root@kind-control-plane:/# crictl pull quay.io/o0o/nginx:stable
FATA[0001] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "quay.io/o0o/nginx:stable": no available registry endpoint: unexpected status code https://quay.io/v2/o0o/nginx/manifests/stable: 401 Unauthorized 

Now I create a secret associated with a robot account on quay.io that has read access to the image.

example secret:

apiVersion: v1
kind: Secret
metadata:
  name: o0o-test-pull-secret
data:
  .dockerconfigjson: CnsKICBhdXRoczogewogICAgcXVheS5pbzogewogICAgICBhdXRoOiBkWE5sY2pwNWIzVnljbTlp
YjNSMGIydGxiZz09CiAgICAgIGVtYWlsOiAKICAgIH0KICB9Cn0=
type: kubernetes.io/dockerconfigjson

The content of dockerconfigjson is encoded base64.

{
  "auths": {
    "quay.io": {
      "auth": "dXNlcjp5b3Vycm9ib3R0b2tlbg=="
      "email": ""
    }
  }
}

The encoded auth line is:

user:yourrobottoken

With that config I can pull my image:
I applied the secret and a pod that looks like this:

apiVersion: v1
kind: Pod
metadata:
  name: somepod
spec:
  containers:
    - name: web
      image: quay.io/o0o/nginx:stable 
  imagePullSecrets:
    - name: o0o-test-pull-secret

Logs from the pod on deployment:

Events:
  Type    Reason     Age   From                         Message
  ----    ------     ----  ----                         -------
  Normal  Scheduled  14s   default-scheduler            Successfully assigned default/somepod to kind-control-plane
  Normal  Pulling    13s   kubelet, kind-control-plane  Pulling image "quay.io/o0o/nginx:stable"
  Normal  Pulled     4s    kubelet, kind-control-plane  Successfully pulled image "quay.io/o0o/nginx:stable"
  Normal  Created    4s    kubelet, kind-control-plane  Created container web
  Normal  Started    4s    kubelet, kind-control-plane  Started container web

After testing out the above and successfully pull a private image from quay.io I can only conclude that it's has something todo with my private repository.

Using the below command inside the running kind-control-plane container leads to the same error:

crictl pull --auths <my_auth_string> <image>

Thanks for the help and time!!!

For anyone who comes across this, I had the same issue and it drove me crazy.

Here is the problem:
In our env we use artifactory and bintray.io to serve our docker images. I know this bug is for a different registry type, but it still may be pertinent. For us this has nothing to do with kind, it is in fact artifactory and bintray causing the issue. Ultimately I had to downgrade to kind node version to use an older version of containerd and it worked. In our env we use k8s 1.14.x. 1.14.10 & 1.14.9 do not work since they use containerd 1.3.2 and 1.3.0 respectively. I had to downgrade to use 1.14.6 which uses containerd 1.2.6 and everything worked.

so
kind create cluster --image kindest/node:v1.14.6

Here are the bugs:
https://github.com/containerd/containerd/issues/3761
--> https://github.com/containerd/containerd/issues/3556
--> https://www.jfrog.com/jira/browse/RTFACT-20170

In the end my issue was related to the auth layer on top of the registry I was using. It was fixed with this PR: https://github.com/cesanta/docker_auth/pull/265

this came up again, reached out to the wonderful @rimusz for follow up 🙏

I've contacted Jfrog support and they answered that it should be fixed by now

Looking at the Jira status, the issue appears to be resolved in Artifactory versions 6.17+.
https://www.jfrog.com/jira/browse/RTFACT-20170

yes, it looks that way as I wasn't able to reproduce it

Hello there
I know this one has been closed but I ran into the same issue recently . when you create your secret, pay attention to the namespace. may be it seems obvious for others but you can easily forget that, mainly if you are building an app with many microservices. if your secret is not in the same namespace than your pod/deployment resource it won't work and you will get the error declared above.

• so for your secret
  kubectl create secret docker-registry mysecretname --docker-server='myserver' --docker-username='myusername' --docker-password='mypassword' --docker-email='[email protected]' --namespace='mynamespace'

• for your pod (it also applies to deployment resource)
  ````yaml

apiVersion: v1
kind: Pod
metadata:
name: "myPodName"
namespace: "mynamespace" --> IMPORTANT
spec:
containers:
- name: myPodName
image: my.pod.image/path:tag

imagePullSecrets:

• name: mysecretname

restartPolicy: Never

````

Thanks @thynquest that's a good reminder. Perhaps we should add a short note to the guide. I think it's in the linked kubernetes docs but there's a lot there 😅

yes @BenTheElder I think we should; it is a good idea..I am not sure that I will be the last to fall for that issue