k3s image pull from private registries

Question

I've been looking at different references on how to enable k3s (running on my pi) to pull docker images from a private registry on my home network (server laptop on my network). If someone can please point my head in the right direction? This is my approach:

Created the docker registry on my server (and making accessible via port 10000):

docker run -d -p 10000:5000 --restart=always --local-docker-registry registry:2

This worked, and was able to push-pull images to it from the "server pc". I didn't add authentication TLS etc. yet...

(viewing the images via docker plugin on VS Code).

Added the inbound firewall rule on my laptop server, and tested that the registry can be 'seen' from my pi (so this also works):

$ curl -ks http://<server IP>:10000/v2/_catalog
{"repositories":["tcpserialpassthrough"]}

Added the registry link to k3s (k3s running on my pi) in registries.yaml file, and restarted k3s and the pi

$ cat /etc/rancher/k3s/registries.yaml
mirrors:
  pwlaptopregistry:
    endpoint:
      - "http://<host IP here>:10000"

Putting the registry prefix to my image endpoint on a deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tcpserialpassthrough
spec:
  selector:
    matchLabels:
      app: tcpserialpassthrough
  replicas: 1
  template:
    metadata:
      labels:
        app: tcpserialpassthrough
    spec:
      containers:
      - name: tcpserialpassthrough
        image: pwlaptopregistry/tcpserialpassthrough:vers1.3-arm
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 8001
          hostPort: 8001
          protocol: TCP
        command: ["dotnet", "/app/TcpConnector.dll"]

However, when I check the deployment startup sequence, it's still not able to pull the image (and possibly also still referencing docker hub?):

kubectl get events -w
LAST SEEN   TYPE      REASON             OBJECT                                      MESSAGE
8m24s       Normal    SuccessfulCreate   replicaset/tcpserialpassthrough-88fb974d9   Created pod: tcpserialpassthrough-88fb974d9-b88fc
8m23s       Warning   FailedScheduling   pod/tcpserialpassthrough-88fb974d9-b88fc    0/1 nodes are available: 1 node(s) didn't have free ports for the requested pod ports.
8m23s       Warning   FailedScheduling   pod/tcpserialpassthrough-88fb974d9-b88fc    0/1 nodes are available: 1 node(s) didn't have free ports for the requested pod ports.
8m21s       Normal    Scheduled          pod/tcpserialpassthrough-88fb974d9-b88fc    Successfully assigned default/tcpserialpassthrough-88fb974d9-b88fc to raspberrypi
6m52s       Normal    Pulling            pod/tcpserialpassthrough-88fb974d9-b88fc    Pulling image "pwlaptopregistry/tcpserialpassthrough:vers1.3-arm"
6m50s       Warning   Failed             pod/tcpserialpassthrough-88fb974d9-b88fc    Error: ErrImagePull
6m50s       Warning   Failed             pod/tcpserialpassthrough-88fb974d9-b88fc    Failed to pull image "pwlaptopregistry/tcpserialpassthrough:vers1.3-arm": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/pwlaptopregistry/tcpserialpassthrough:vers1.3-arm": failed to resolve reference "docker.io/pwlaptopregistry/tcpserialpassthrough:vers1.3-arm": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
6m3s        Normal    BackOff            pod/tcpserialpassthrough-88fb974d9-b88fc    Back-off pulling image "pwlaptopregistry/tcpserialpassthrough:vers1.3-arm"
3m15s       Warning   Failed             pod/tcpserialpassthrough-88fb974d9-b88fc    Error: ImagePullBackOff

Wondered if the issue is with authorization, and added based on basic auth, following this youtube guide, but the same issue persists. Also noted that that /etc/docker/daemon.json must be edited to allow unauthorized, non-TLS connections, via:

{
  "Insecure-registries": [ "<host IP>:10000" ]
}

but seemed that this needs to be done on node side, whereas nodes don't have docker cli installed??

You don't need docker cli to edit the `daemon.json` just docker daemon (engine). — Shmuel, Feb 16 '21 at 11:49
Thanks for looking through @Shmuel. Possibly stupid question, but can you please elaborate? (1) So must daemon.json be created on the k3s node, while only k3s was installed? Don't know much about docker functionality in k3s / k8s. Only read bare basics, like it utilizing "containerd", at some point. (2) Because the path /etc/docker/.. doesn't even exist on the pi — Paul, Feb 16 '21 at 11:59
I'm not familiar with k3s, maybe it's not running docker at all but some other container runtime environment — Shmuel, Feb 16 '21 at 12:24
@Paul "Wondered if the issue is with authorization, and added based on basic auth" Will it work with http insecure registries without any authorization or tls? Its not working for me despite registries.yaml configuration in all the nodes and restart of k3s. I am using k3s v1.21.2 — akhi, Jul 21 '21 at 18:29

score 13 · Accepted Answer · answered Feb 16 '21 at 14:51

... this is so stupid, have no idea why a domain name and port needs to be specified as the "name" of your referred registry, but anyway this solved my issue (for reference):

$cat /etc/rancher/k3s/registries.yaml
mirrors:
  "<host IP>:10000":
    endpoint:
      - "http://<host IP>:10000"

and restarting k3s:

systemctl restart k3s

Then in your deployment, referring to that in your image path as:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tcpserialpassthrough
spec:
  selector:
    matchLabels:
      app: tcpserialpassthrough
  replicas: 1
  template:
    metadata:
      labels:
        app: tcpserialpassthrough
    spec:
      containers:
      - name: tcpserialpassthrough
        image: <host IP>:10000/tcpserialpassthrough:vers1.3-arm
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 8001
          hostPort: 8001
          protocol: TCP
        command: ["dotnet", "/app/TcpConnector.dll"]
      imagePullSecrets:
      - name: mydockercredentials

referring to registry's basic auth details saved as a secret:

$ kubectl create secret docker-registry mydockercredentials --docker-server host IP:10000 --docker-username username --docker-password password

You'll be able to verify the pull process via

$ kubectl get events -w

Technically, it's supposed to, although this was not the explicit focus of my test (where I had to be able to create the registry pointer in file /etc/rancher/k3s/registries.yaml). No idea to be honest, sorry... (can only point you to the documentation I followed [here](https://rancher.com/docs/k3s/latest/en/installation/private-registry/) ) — Paul, Jun 03 '21 at 14:53
Can I upvote this 3.4 million times please? The "documentation" (ahem) here, as of 2/1/2022 is wrong and will absolutely lead you into the same trap. https://k3d.io/v5.0.3/usage/configfile/ *Make sure* your registry "name" has the port in it! — hikaru, Feb 01 '22 at 19:31

k3s image pull from private registries

1 Answers1