kubectl create secret docker-registry regsecret --docker-server=registry-internal.cn-hangzhou.aliyuncs.com --docker-username=abc@aliyun.com --docker-password=xxxxxx --docker-email=abc@aliyun.com

In the command:

  • regsecret: the secret name. You can enter a custom name.
  • --docker-server: the address of the Docker registry.
  • --docker-username: the username for logging on to the Docker registry.
  • --docker-password: the password for logging on to the Docker registry.
  • --docker-email: optional. The email address.

Add the secret to the YAML file.

containers:
    - name: foo
      image: registry-internal.cn-hangzhou.aliyuncs.com/abc/test:1.0
imagePullSecrets:
    - name: regsecret

In the code:

  • imagePullSecrets specifies the secret used for pulling images.
  • regsecret must be the same as the secret name configured earlier.
  • The name of the Docker registry in image must be the same as that in --docker-server.

For more information, see Use a private registry.

Implement orchestration without the secret

To avoid referencing the secret each time you use private images for deployment, you can add the secret to the default service account of the namespace. For more information, see Add ImagePullSecrets to a service account.

Obtain the secret created for pulling private images.
# kubectl get secret regsecret
NAME        TYPE                             DATA      AGE
regsecret   kubernetes.io/dockerconfigjson   1         13m
In this example, manually configure the default service account of the namespace to use this secret as the imagePullSecret.

Create the sa.yaml configuration file and import the configuration of the default service account to this file.

kubectl get serviceaccounts default -o yaml > ./sa.yaml

cat  sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  resourceVersion: "243024"             ## Pay attention to this parameter.
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudgeoken-uudge

Run the vim sa.yaml command to open the sa.yaml file, delete the resourceVersion parameter, and add the imagePullSecrets parameter to specify the secret for pulling images. The modified configuration is as follows:

 
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets:                 ## Add this parameter.
- name: regsecret

Use the configuration in the sa.yaml file to replace the configuration of the default service account.
kubectl replace serviceaccount default -f ./sa.yaml
serviceaccount "default" replaced

Run the kubectl create -f command to create a Tomcat application.

apiVersion: apps/v1beta2 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: tomcat-deployment
  labels:
    app: tomcat
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      containers:
      - name: tomcat
        image: registry-internal.cn-hangzhou.aliyuncs.com/abc/test:1.0              # Replace it with the address of your private image.
        ports:
        - containerPort: 8080
If the configuration is correct, the pod is started. Run the kubectl get pod tomcat-xxx -o yaml command. You can find the following configuration in the command output:
spec:
  imagePullSecrets:
  - nameregsecretey