305-998-7702 | 415-800-2922 info@rx-m.com

Work with Images Securely

Learn how to put the latest open source technology into practice with hands-on training, delivered by industry experts, aligned to your desired business outcomes

Image security is handled in different ways. One way is to control access to private repositories using imagePullSecret, which contains the necessary credentials to access a repository. An image pull secret is based on Docker’s config.json, which is created after using docker login. You can create an imagePullSecret imperatively by supplying your credentials to:

$ kubectl create secret docker-registry myregistry \
--docker-server=https://my.image.registry \
--docker-username=my-user --docker-password=my-pw \
--docker-email=myacc@image.registry

$

Container images that need to be pulled from the my.image.registry private registry retrieve those credentials using the imagePullSecret key in their spec:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: fluentbitcommandpod
  name: fluentbitcommandpod
spec:
  containers:
  - command:
    - /fluent-bit/bin/fluent-bit
    - -i
    - mem
    - -o
    - stdout
    image: myregistry/my-fluent-bit
    name: fluentbitcommandpod
  imagePullSecrets: 
  - name: myregistry

Container images can be referred to using the sha256 hash of the image. This tells the container runtime to use an exact version of the image at all times. Here is an example of updating a Kubernetes deployment using a specific image SHA:

kubectl set image deploy nginx-prod nginx=myregistry/nginx@sha256:2397b05f8a7df1cf48d51314a5e2c249f1e83a4211cd78ceb58e8372bf087f07 --record=true

Learn more information about container security in Kubernetes