Skip to content

Image Security

IMAGE security

nginx is the same as nginx/nginx

The default registry is docker.io Google's registry is gcr.io

To login to a private registry:

1
docker login private-registry

To create a secret for a private registry:

1
2
3
4
5
kubectl create secret docker-registry regcred \
  --docker-server=private-registry.io \
  --docker-username=registry-user \
  --docker-password=registry-password \
  --docker-email=registry-user@org.com

To use the secret in a pod:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
spec:
  containers:
  - name: nginx
    image: private-registry.io/apps/internal-app
  imagePullSecrets:
  - name: regcred

To run a container as a different user:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
spec:
  containers:
  - name: nginx
    image: private-registry.io/apps/internal-app
  imagePullSecrets:
  - name: regcred
  securityContext:
    runAsUser: 1000
    capabilities:
      add: ["MAC_ADMIN"]