Run images from a private registry
By default, the KubernetesPodOperator expects to pull container images that are hosted publicly. If your images are hosted on the container registry native to your cloud provider, you can grant access to the images directly. Otherwise, if you are using any other private registry, you need to create a Kubernetes Secret containing credentials to the registry, then specify the Kubernetes Secret in your dag.
Prerequisites
- An Astro project.
- An Astro Deployment.
- Access to a private Docker registry.
Setup
Create a Kubernetes Secret
To run Docker images from a private registry on Astro, a Kubernetes Secret that contains credentials to your registry must be created. Injecting this secret into your Deployment’s namespace will give your tasks access to Docker images within your private registry.
By default, the KubernetesPodOperator looks for publicly hosted images. However, you can pull images from a private registry.
-
Retrieve a
config.jsonfile that contains your Docker credentials by following the Docker documentation. The generated file looks similar to the following: -
Submit a request to Astronomer support for creating a Kubernetes Secret to enable pulling images from private registries. Astronomer Support can provide you the necessary instructions on how to generate and securely send the credentials.
Specify the Kubernetes Secret in your dag
-
Astronomer adds the Kubernetes secret to your Deployment, Astronomer notifies you and provides you with the name of the secret.
-
After you receive the name of your Kubernetes secret from Astronomer, you can run images from your private registry by importing
modelsfromkubernetes.clientand configuringimage_pull_secretsin your KubernetesPodOperator instantiation: