Step-by-step instructions for performing operations with Kubernetes.

Documentation for Kubernetes v1.8 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Edit This Page

Pull an Image from a Private Registry

This page shows how to create a Pod that uses a Secret to pull an image from a private Docker registry or repository.

Before you begin

To check the version, enter kubectl version.

Log in to Docker

docker login

When prompted, enter your Docker username and password.

The login process creates or updates a config.json file that holds an authorization token.

View the config.json file:

cat ~/.docker/config.json

The output contains a section similar to this:

    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"

Note: If you use a Docker credentials store, you won’t see that auth entry but a credsStore entry with the name of the store as value.

Create a Secret that holds your authorization token

Create a Secret named regsecret:

kubectl create secret docker-registry regsecret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>


Understanding your Secret

To understand what’s in the Secret you just created, start by viewing the Secret in YAML format:

kubectl get secret regsecret --output=yaml

The output is similar to this:

apiVersion: v1
  .dockercfg: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
kind: Secret
  name: regsecret
type: kubernetes.io/dockercfg

The value of the .dockercfg field is a base64 representation of your secret data.

Copy the base64 representation of the secret data into a file named secret64.

Important: Make sure there are no line breaks in your secret64 file.

To understand what is in the .dockercfg field, convert the secret data to a readable format:

base64 -d secret64

The output is similar to this:


Notice that the secret data contains the authorization token from your config.json file.

Create a Pod that uses your Secret

Here is a configuration file for a Pod that needs access to your secret data:

apiVersion: v1
kind: Pod
  name: private-reg
  - name: private-reg-container
    image: <your-private-image>
  - name: regsecret

Download the above file:

wget -O my-private-reg-pod.yaml https://k8s.io/docs/tasks/configure-pod-container/private-reg-pod.yaml

In file my-private-reg-pod.yaml, replace <your-private-image> with the path to an image in a private repository.

Example Docker Hub private image:


To pull the image from the private repository, Kubernetes needs credentials. The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regsecret.

Create a Pod that uses your Secret, and verify that the Pod is running:

kubectl create -f my-private-reg-pod.yaml
kubectl get pod private-reg

What’s next


Create an Issue Edit this Page