How-tos

What’s the secret? How to pull an image from a non-default Kubernetes namespace in IBM Bluemix Container Service.

Share this post:

Why do I need a secret?

To use Kubernetes, you can use a Docker registry to store your images to deploy microservices into your Kubernetes cluster. A Docker registry can either be:

  • A public Docker registry, which is publicly accessible, or set up to provide access for a group of users. Public Docker registries generally do not require authentication, such as DockerHub, and can be used without additional configuration.

  • A private Docker registry, which is limited to an individual or authenticated access group of users.

If you’re using a private Docker registry, which requires authentication, you need to store credentials to access the registry in a Kubernetes secret, of type imagePullSecret. If you’re trying out the new Kubernetes beta in the IBM Bluemix Container Service, you’ll probably be using the IBM Bluemix registry, which creates the secret for you. If you have a private registry elsewhere though, you need to create your own Kubernetes secret.

The default IBM Bluemix registry secret

You can use the IBM Bluemix registry to access IBM provided public images or to set up your own Docker private image registry in Bluemix where you can safely store and share images across your organization.

When you create a cluster, an imagePullSecret is automatically created in the default Kubernetes namespace that securely stores the credentials to access your private registry in Bluemix. With the imagePullSecret you have read-only access to any images in your private registry, and also to the IBM-provided public images. When you create a deployment in your default namespace and you specify an image from your private registry in Bluemix, Kubernetes uses theimagePullSecret to find the credentials to access your private registry.

To use an image from the IBM Bluemix registry, you define the registry path to the image in your configuration script. During container creation, IBM Bluemix Container Service automatically recognizes this path and uses the imagePullSecret to access the IBM Bluemix registry. Therefore, you do not have to define the imagePullSecret as part of your configuration script.

So, what if you want to use images from your non-default Kubernetes namespace? This is when you want to be able to share your secret – your imagePullSecret.

Sharing the secret across multiple Kubernetes namespaces in IBM Bluemix Container Service

To pull images into a non-default Kubernetes namespace in IBM Bluemix Container Service, you must add a new secret in your new namespace. For the Beta, you can copy the existing default secret into the new namespace.

How can you do this? Run this single command from a command line where the KUBECONFIG is targeted at your cluster:

kubectl get secret bluemix-default-secret -o yaml | sed 's/default/<new-namespace>/g' | kubectl -n <new-namespace> create -f -

This command takes the following steps for you:

  1. Getting the IBM Bluemix registry default imagePullSecret. This is the secret from Kubernetes that is automatically created for you when your cluster is created.

  2. Replacing all references to the default namespace with the name of your new namespace in the imagePullSecret configuration file, including the name of the new secret.

  3. Creating a new imagePullSecret in the new namespace from the modified configuration file.


You might also want to add the secret to the default Kubernetes service account of your new namespace, so that you can use the secret without having to explicitly reference it in your deployment files.

To learn more about how to do this, check out the Kubernetes documentation.

\\

More How-tos stories
May 3, 2019

Kubernetes Tutorials: 5 Ways to Get You Building Fast

Ready to start working with Kubernetes? Want to build your Kubernetes skills? The five tutorials in this post will teach you everything you need to know about how to manage your containerized apps with Kubernetes.

Continue reading

May 3, 2019

Using Portworx to Deploy and Manage an HA MySQL Cluster on IBM Cloud Kubernetes Service

This tutorial is a walkthrough of the steps involved in deploying and managing a highly available MySQL cluster on IBM Cloud Kubernetes Service.

Continue reading

May 2, 2019

Kubernetes v1.14.1 Now Available in IBM Cloud Kubernetes Service

We are excited to announce the availability of Kubernetes v1.14.1 for your clusters that are running in IBM Cloud Kubernetes Service. IBM Cloud Kubernetes Service continues to be the first public managed Kubernetes service to support the latest upstream versions from the community.

Continue reading