Question 217205 in Docker Question posted in
The official documentation can be found here.

Docker Desktop kubernetes cluster reports Authentication required when pulling images

Deploying a manifest in Docker Desktop (v4.21.1) Kubernetes cluster.

The image used in manifest looks like below,

my-local.artifactory.com/docker-images/my-app:v1.0.0

The secret with docker config is created and referred within the manifest in imagePullSecrets. The imagePullPolicy is set to Always.

Error message

Failed to pull image "my-local.artifactory.com/docker-images/my-app:v1.0.0": rpc error: code = Unknown desc = Error response from daemon: Head "https://my-local.artifactory.com/v2/docker-images/my-app/manifests/v1.0.0": unknown: Authentication is required

The deployment failed since not able to pull image and indicates Authentication required. Odd thing is that the kubelet docker-desktop used the URL that looks like – https://my-local.artifactory.com/v2/myapp/manifests/v1.0.0

But not sure how this URL is constructed.

  • Question:
    How Docker desktop kubelet know to create this url https://my-local.artifactory.com/v2/myapp/manifests/v1.0.0? Not sure how v2 is added to the URL.

When hit the URL directly in browser, do get below message.

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
Tags:

2

Answers


  1. 0

    The URL is specified by the Docker Registry HTTP API V2.

    The image name my-local.artifactory.com/docker-images/my-app:v1.0.0 breaks down into three parts: the registry name my-local-artifactory.com, the image name docker-images/my-app, and the tag v1.0.0. To pull the image, the kubelet (or anything else) first needs to fetch a piece called the image manifest, and that manifest has a list of the individual layers that need to be downloaded.

    The registry API specifies the manifest URL as

    GET /v2/<name>/manifests/<reference>

    where GET is an HTTP verb, <name> is the image name, and <reference> is either the tag or a digest hash. This matches the URL in the error message.

    Login or Signup to reply.
  2. 0

    As Chris mentioned, v2 in the URL represents the api version.

    From your description we know that you are using an artifact registry for storing your images.

    The error describes that it requires authentication to access this image/artifact

    As per this article in County:

    Authenticating and Pulling Images from Artifact Registry

    Kubernetes uses Secrets to authenticate or store the credentials to
    access a Docker registry for images.

    Follow below steps to create a Kubernetes Secret.

    1.To fetch service account email from service account key:

    cat serviceaccount.json | grep client_email  # Value used in docker-email key

    2.Create a Kubernetes Secret:

    kubectl create secret docker-registry artifact-registry 
--docker-server=https://us-docker.pkg.dev 
--docker-email=<service account email address> 
--docker-username=_json_key 
--docker-password="$(cat serviceaccount.json)"

    3.Verify the creation of Kubernetes Secret:

    kubectl get secrets | grep artifact-registry

    Once you have obtained the Service Account key, then you can
    authenticate to Artifact Registry using the command below:

    cat serviceaccount.json | docker login -u _json_key --password-stdin https://us-docker.pkg.dev
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search