Kubernetes imagePullSecrets not working; getting "image not found"
Another possible reason why you might see "image not found" is if the namespace of your secret doesn't match the namespace of the container.
For example, if your Deployment yaml looks like
apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: mydeployment namespace: kube-system
Then you must make sure the Secret yaml uses a matching namespace:
apiVersion: v1kind: Secretmetadata: name: mysecret namespace: kube-systemdata: .dockerconfigjson: ****type: kubernetes.io/dockerconfigjson
If you don't specify a namespace for your secret, it will end up in the default namespace and won't get used. There is no warning message. I just spent hours on this issue so I thought I'd share it here in the hope I can save somebody else the time.
Docker generates a config.json
file in ~/.docker/
It looks like:
{ "auths": { "index.docker.io/v1/": { "auth": "ZmFrZXBhc3N3b3JkMTIK", "email": "email@company.com" } }}
what you actually want is:
{"https://index.docker.io/v1/": {"auth": "XXXXXXXXXXXXXX", "email": "email@company.com"}}
note 3 things:
- 1) there is no
auths
wrapping - 2) there is
https://
in front of theURL - 3) it's one line
then you base64 encode that and use as data for the .dockercfg
name
apiVersion: v1kind: Secretmetadata: name: registrydata: .dockercfg: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==type: kubernetes.io/dockercfg
Note again the .dockercfg
line is one line (base64 tends to generate a multi-line string)
Another reason you might see this error is due to using a kubectl version different than the cluster version (e.g. using kubectl 1.9.x against a 1.8.x cluster).
The format of the secret generated by the kubectl create secret docker-registry command has changed between versions.
A 1.8.x cluster expect a secret with the format:
{ "https://registry.gitlab.com":{ "username":"...", "password":"...", "email":"...", "auth":"..." }}
But the secret generated by the 1.9.x kubectl has this format:
{ "auths":{ "https://registry.gitlab.com":{ "username":"...", "password":"...", "email":"...", "auth":"..." } }}
So, double check the value of the .dockercfg data of your secret and verify that it matches the format expected by your kubernetes cluster version.