Challenge,ย Easy, ย onย  Kubernetes,ย Containers
ProblemSolutionDiscussion

An nginx:alpine container image is available in a private registry at registry.iximiuz.com. Your task is to deploy a Kubernetes Pod using this image and ensure it can serve requests successfully.

The registry requires authentication with the following credentials:

  • Username: iximiuzlabs
  • Password: rules!

Since the image is hosted in a private registry, Kubernetes must be provided with the proper credentials to pull it. You will need to:

  1. Configure authentication credentials for the private registry
  2. Create a Pod that uses these credentials to pull the image
  3. Verify that the Pod is running and serving the default Nginx welcome page

Success criteria:

  • A Pod named nginx-1 exists in the default namespace
  • The Pod uses the registry.iximiuz.com/nginx:alpine image
  • The Nginx server in the Pod responds with the welcome page
Hint 1: Private Registry Access in Kubernetes ๐Ÿ’ก

When Kubernetes needs to pull images from private registries, it requires authentication credentials.

Kubernetes stores these credentials as Secrets of a special type called kubernetes.io/dockerconfigjson. This secret format is compatible with Docker's authentication configuration.

The most common approaches are:

  • Use kubectl create secret docker-registry command
  • Copy existing Docker credentials from ~/.docker/config.json
  • Create the secret manually using a YAML manifest

Check the official Kubernetes documentation for detailed examples.

Hint 2: Creating a Registry Secret in the Command Line ๐Ÿ’ก

You can create a registry authentication secret using the kubectl create secret command with the docker-registry type:

kubectl create secret docker-registry SECRET_NAME \
  --docker-server=REGISTRY_DOMAIN \
  --docker-username=REGISTRY_USERNAME \
  --docker-password=REGISTRY_PASSWORD \
  --namespace=POD_NAMESPACE

The secret will contain the encoded credentials that Kubernetes can use to authenticate with the registry.

Providing your secret as a command line argument may result in it being recorded in your shell history. While it's not an issue for this challenge, you likely want to avoid this in production.

Hint 3: Creating a Registry Secret from a Docker Config File ๐Ÿ’ก

An alternative approach is to copy your existing Docker credentials from ~/.docker/config.json and use them to create a Kubernetes Secret.

kubectl create secret generic SECRET_NAME \
  --from-file=.dockerconfigjson=$HOME/.docker/config.json \
  --type=kubernetes.io/dockerconfigjson

Note that the above command uses a generic secret type in its argument list (instead of docker-registry), but additionally provides the --type=kubernetes.io/dockerconfigjson flag.

The gotcha of this approach is that you need to have the ~/.docker/config.json file available on your machine, and it should contain only the credentials for the registry your Pod needs (because ~/.docker/config.json may have entries for other registries).

Hint 4: Creating a Registry Secret with a YAML Manifest ๐Ÿ’ก

The most flexible approach is to create a registry secret from a YAML manifest. For that, you'd need to base64 encode the (relevant part of) ~/.docker/config.json file, and then prepare the following YAML manifest:

my-registry-access-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: SECRET_NAME
  namespace: POD_NAMESPACE
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: BASE64_ENCODED_DOCKER_CONFIG_JSON

Once the manifest is ready, you can use the standard kubectl apply command to create the secret:

kubectl apply -f my-registry-access-secret.yaml
Hint 5: Using a Registry Secret in a Pod Spec ๐Ÿ’ก

To make a Pod use a registry secret to pull images, you need to reference it in the Pod specification using the imagePullSecrets field:

apiVersion: v1
kind: Pod
metadata:
  name: POD_NAME
spec:
  containers:
  - name: CONTAINER_NAME
    image: PRIVATE_IMAGE
  imagePullSecrets:
  - name: SECRET_NAME

Once you have referenced the right secret in the Pod spec, Kubernetes should be able to pull the image from the private registry.

Hint 6: Troubleshooting Image Pull Issues ๐Ÿ’ก

If your Pod is stuck with ImagePullBackOff or ErrImagePull status, use these commands to diagnose:

kubectl describe pod POD_NAME
kubectl get events --sort-by='.lastTimestamp'

To review the content of the registry secret, you can use:

kubectl get secret SECRET_NAME -o jsonpath='{.data}'
Discussion:ย  Discord
Categories:ย Kubernetes,ย Containers
Tags:ย kubernetes-101container-registrycontainer-imagekubectl

Level up your Server Side game โ€” Join 10,500 engineers who receive insightful learning materials straight to their inbox

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge kubernetes-pull-private-image

This will create a local copy of the challenge content in a directory named kubernetes-pull-private-image. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge kubernetes-pull-private-image

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help