then I can pull the image and run the container: docker run -d example.test.tld/testie/testimage:latest
In Rancher I don’t seem to get it right at the moment. I have stored a secret (http auth) for my project/namespace and would like to create the container via deployment.
Here I enter the image name as described above and select the stored https authentication as Secret.
Now the status of this container is “Imagepullbackoff” (while creating: Errimagepull)
I think I would have to store the URL first as a repo, but I don’t want to store it as a default for every images, just additionally.
Unfortunately I couldn’t find anything concrete about this, can someone give me a tip on this?
What exactly is the error? Imagepullbackoff is a general error, that could have a variety of different reasons as its cause. You should copy the full error and paste it here.
The way, you would usually apply a registry credential to your workload (Deployment) in Rancher is as follows.
You create a registry credential in the Secrets section of Rancher.
i. You give it a name like company-harbor
ii. You provide the proper Harbor URL of the Harbor registry.
iii. You provide a user name for that registry.
iv. You provide the corresponding password to that user name.
Save that registry credential.
Now, make sure the workload in question can pull from that registry.
View your workload and then press the 3 dots in the top right corner.
Select View/Edit YAML.
Associate the registry credential’s name, with the key spec.template.spec.imagePullSecrets.name.
Like that:
imagePullSecrets:
- name: company-harbor
Save that YAML.
Now the Deployment should automatically re-deploy and pull the image without issues, if the registry credentials provided are correct and working.
P.S.:
If that works for you, you should update the original Deployment definition (YAML) to have that imagePullSecrets key available, so you don’t have to manually add it each time.
thanks for your response.
with “describe pod” i got:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 21s default-scheduler Successfully assigned dev/test-59c9756746-pxjq4 to worker2
Normal BackOff 18s (x2 over 19s) kubelet Back-off pulling image "example.test.tld/testie/testimage:latest"
Warning Failed 18s (x2 over 19s) kubelet Error: ImagePullBackOff
Normal Pulling 7s (x2 over 20s) kubelet Pulling image "example.test.tld/testie/testimage:latest"
Warning Failed 7s (x2 over 20s) kubelet Failed to pull image "example.test.tld/testie/testimage:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: **unauthorized to access repository**: testie/testimage, action: pull: unauthorized to access repository: testie/testimage, action: pull
Warning Failed 7s (x2 over 20s) kubelet Error: ErrImagePull
But the .yaml contains the corresponding secret. It worked with the described way via Docker, but it doesn’t quite work with Rancher. The access data stored in the secret are definitely correct.
Unfortunately, I don’t know how to enter the Harbor URL here. With “https” this is not possible. Do I have to store the repo with/without credentials somewhere else?
Unfortunately, I haven’t been familiar with Kubernetes or Rancher for that long.
This error indicates, that something must be incorrect. If you are a 100% sure the username and password are correct, then the URL is not correct. One has to be incorrect, or else you wouldn’t see this error.
However, this specific error unauthorized to access repository means, that your username and/or password must be incorrect. If it wouldn’t reach the repository, like through providing the wrong URL, it would be a different error.
So, even if you are absolutely sure your username and password are correct, make sure it’s correct.
If your secret is a YAML, make sure there are no special characters in the password, which need to be escaped or otherwise properly handled.
If it looks anything like a normal URL to a normal registry, like registry.my-company.tld, then it will work.
It does not need credentials, if it’s a public repository. If it’s a private one, you need credentials.
It’s hard to get familiar with it, especially when starting through Rancher, as Rancher is a bit different and gives a different feeling about Kubernetes, when in fact it’s 90% Kubernetes and 10% Rancher API under the hood.
The Deployment’s YAML or the secret’s? Can you post some YAML with redacted credentials/URLs/etc.?
