Pull Docker Image from private Harbor Repo

Hello everyone,

I’m currently using Rancher version 2.6.3 and would like to obtain a Docker image from a private harbor repo.

On another node - outside of the rancher environment - this works simply as follows.

docker login -u example user https://example.test.tld/
Password: xxxxxxx

then I can pull the image and run the container:
docker run -d example.test.tld/testie/testimage:latest

In Rancher I don’t seem to get it right at the moment. I have stored a secret (http auth) for my project/namespace and would like to create the container via deployment.
Here I enter the image name as described above and select the stored https authentication as Secret.

Now the status of this container is “Imagepullbackoff” (while creating: Errimagepull)

I think I would have to store the URL first as a repo, but I don’t want to store it as a default for every images, just additionally.
Unfortunately I couldn’t find anything concrete about this, can someone give me a tip on this?

What exactly is the error? Imagepullbackoff is a general error, that could have a variety of different reasons as its cause. You should copy the full error and paste it here.

The way, you would usually apply a registry credential to your workload (Deployment) in Rancher is as follows.

  1. You create a registry credential in the Secrets section of Rancher.

    i. You give it a name like company-harbor
    ii. You provide the proper Harbor URL of the Harbor registry.
    iii. You provide a user name for that registry.
    iv. You provide the corresponding password to that user name.
  2. Save that registry credential.
  3. Now, make sure the workload in question can pull from that registry.
  4. View your workload and then press the 3 dots in the top right corner.
  5. Select View/Edit YAML.
  6. Associate the registry credential’s name, with the key spec.template.spec.imagePullSecrets.name.
    Like that:
  - name: company-harbor
  1. Save that YAML.
  2. Now the Deployment should automatically re-deploy and pull the image without issues, if the registry credentials provided are correct and working.


If that works for you, you should update the original Deployment definition (YAML) to have that imagePullSecrets key available, so you don’t have to manually add it each time.

Hi @Akito ,

thanks for your response.
with “describe pod” i got:

  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  21s                default-scheduler  Successfully assigned dev/test-59c9756746-pxjq4 to worker2
  Normal   BackOff    18s (x2 over 19s)  kubelet            Back-off pulling image "example.test.tld/testie/testimage:latest"
  Warning  Failed     18s (x2 over 19s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling    7s (x2 over 20s)   kubelet            Pulling image "example.test.tld/testie/testimage:latest"
  Warning  Failed     7s (x2 over 20s)   kubelet            Failed to pull image "example.test.tld/testie/testimage:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: **unauthorized to access repository**: testie/testimage, action: pull: unauthorized to access repository: testie/testimage, action: pull
  Warning  Failed     7s (x2 over 20s)   kubelet            Error: ErrImagePull

But the .yaml contains the corresponding secret. It worked with the described way via Docker, but it doesn’t quite work with Rancher. The access data stored in the secret are definitely correct.
Unfortunately, I don’t know how to enter the Harbor URL here. With “https” this is not possible. Do I have to store the repo with/without credentials somewhere else?
Unfortunately, I haven’t been familiar with Kubernetes or Rancher for that long.

This error indicates, that something must be incorrect. If you are a 100% sure the username and password are correct, then the URL is not correct. One has to be incorrect, or else you wouldn’t see this error.

However, this specific error unauthorized to access repository means, that your username and/or password must be incorrect. If it wouldn’t reach the repository, like through providing the wrong URL, it would be a different error.
So, even if you are absolutely sure your username and password are correct, make sure it’s correct.

If your secret is a YAML, make sure there are no special characters in the password, which need to be escaped or otherwise properly handled.

If it looks anything like a normal URL to a normal registry, like registry.my-company.tld, then it will work.

It does not need credentials, if it’s a public repository. If it’s a private one, you need credentials.

It’s hard to get familiar with it, especially when starting through Rancher, as Rancher is a bit different and gives a different feeling about Kubernetes, when in fact it’s 90% Kubernetes and 10% Rancher API under the hood.

The Deployment’s YAML or the secret’s? Can you post some YAML with redacted credentials/URLs/etc.?