loading...
Cover image for How to use service accounts for Kubernetes imagePullSecrets

How to use service accounts for Kubernetes imagePullSecrets

rizwankh_24 profile image Rizwan Khan ・1 min read

What are Service Accounts in Kubernetes?

As per Kubernetes.io - A service account provides an identity for processes that run in a Pod.

One can think of service accounts as service users for pods. They help pods authenticate with the api-server and interact with it.

Many times, we come across a situation where our organization uses a private Docker registry to store the Docker images and to make this available we need to create a docker-registry kubernetes secret and pass as imagePullSecrets in the deployment manifest.

kubectl create secret docker-registry registry-cred \
 --docker-server=my.private-registry.com \
 --docker-username=my_username \
 --docker-password="my_superr_strong_password" \
 --docker-email=my.email@mycompany.com -n my-namespace

Then, we pass this secret in the deployment manifest as below.

...
      imagePullSecrets:
      - name: registry-cred
...

The problem with this approach?

Not many that I can think of, except below ones:

  • The deployment yaml are generally developed by Developers who doesn't need to know about this credentials
  • If there are a large number of pods in the namespace, then each manifest needs to be updated, whenever the password is rotated

The solution

serviceAccounts - your Kubernetes administrator can just patch serviceAccounts with the registry credential secret and you don't need to worry about replacing or adding it in your manifest yaml each time.

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-cred"}]}' -n my-namespace

Posted on by:

rizwankh_24 profile

Rizwan Khan

@rizwankh_24

hear to read stuff about all the cool things people are trying to achieve

Discussion

pic
Editor guide