Question 80667 in Docker Question posted in
The official documentation can be found here.

Error: ErrorImagePull. Not able to pull images from private Docker registry using Kubernetes

I’m trying to pull my Docker Image from my private Docker Registry in Kubernetes, but I got this error: ImagePullBackOff

NAME                           READY   STATUS             RESTARTS   AGE
nginx-994fc8fb7-f24sv          2/2     Running            0          2d22h
portals-app-669b654d87-lk258   0/1     ImagePullBackOff   0          66m
portals-app-669b654d87-p87c6   0/1     ImagePullBackOff   0          67m
portals-app-7775d445-c5762     0/1     ImagePullBackOff   0          66m

So I used describe command to view the error detail, here is the error:

Name:             portals-app-669b654d87-lk258
Namespace:        default
Priority:         0
Service Account:  default
Node:             client-portal-nodepool-qjfch/10.127.0.2
Start Time:       Sat, 25 Feb 2023 20:30:56 +1100
Labels:           app=app
                  pod-template-hash=669b654d87
Annotations:      <none>
Status:           Pending
IP:               10.244.0.60
IPs:
  IP:           10.244.0.60
Controlled By:  ReplicaSet/portals-app-669b654d87
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  kube-api-access-s2j6z:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason   Age                    From     Message
  ----    ------   ----                   ----     -------
  Normal  BackOff  2m34s (x284 over 67m)  kubelet  Back-off pulling image 
"xichen9718/portals_docker_repository:latest"

I feel this error message is not that clear, and I guess it might have something to do with the Docker Private Registry authentication. So I create an individual Pod. This is my pod Yaml file.:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: xichen9718/portals_docker_repository:latest
  imagePullSecrets:
  - name: regcred

and I ran the describe command again, I got this at this time:

Name:             private-reg
Namespace:        default
Priority:         0
Service Account:  default
Node:             client-portal-nodepool-qjfch/10.127.0.2
Start Time:       Sat, 25 Feb 2023 21:15:52 +1100
Labels:           <none>
Annotations:      <none>
Status:           Pending
IP:               10.244.0.79
IPs:
  IP:  10.244.0.79
Containers:
  private-reg-container:
    Container ID:
    Image:          xichen9718/portals_docker_repository:latest
    Image ID:
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-7gvvj (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  kube-api-access-7gvvj:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                            node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  50s                default-scheduler  Successfully assigned default/private-reg to client-portal-nodepool-qjfch
  Warning  Failed     28s (x2 over 46s)  kubelet            Failed to pull image "xichen9718/portals_docker_repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/xichen9718/portals_docker_repository:latest": failed to resolve reference "docker.io/xichen9718/portals_docker_repository:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
  Warning  Failed     28s (x2 over 46s)  kubelet            Error: ErrImagePull
  Normal   BackOff    15s (x2 over 45s)  kubelet            Back-off pulling image "xichen9718/portals_docker_repository:latest"
  Warning  Failed     15s (x2 over 45s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling    2s (x3 over 49s)   kubelet            Pulling image "xichen9718/portals_docker_repository:latest"

But I think I set the secret successfully, when I run
kubectl get secret regcred --output=yaml,
I can view my .dockerconfigjson and other data. and I tried to pull the image locally, I can pull it successfully, so that means my image name and tag is correct.
I’m really confused now, can anybody help me with this please?
Thanks a lot.

Update:

I deleted my secret, deployment, pod and re-created them again, then it works. I guess it might have something to do with the sequence of my developing process

Tags:

2

Answers


  1. 0

    This:

    spec:
  containers:
  - name: private-reg-container
    image: xichen9718/portals_docker_repository:latest

    Is pulling from docker.io and not a private repo.

    Also, this:

      Warning  Failed     28s (x2 over 46s)  kubelet            Failed to pull image "xichen9718/portals_docker_repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/xichen9718/portals_docker_repository:latest": failed to resolve reference "docker.io/xichen9718/portals_docker_repository:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

    Says authorization failed. Presumeably because you’re trying to authenticate against docker hub and not your private repo.

    If you are using a private repo, you need to include the hostname of your repo in the image, e.g.

    spec:
  containers:
  - name: private-reg-container
    image: myprivaterepo.com/xichen9718/portals_docker_repository:latest

    If you don’t it will assume docker hub

    Login or Signup to reply.
  2. 0

    Seems like an issue with the generated token or password you have used from docker:

    Failed to pull image "xichen9718/portals_docker_repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/xichen9718/portals_docker_repository:latest": failed to resolve reference "docker.io/xichen9718/portals_docker_repository:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

    If you followed the first method to create the secret(Create a Secret based on existing credentials). Can you double check whether you were logged into the docker hub at that time and got the credentials from the docker config file?

    Or you can be more explicit with the second option supported as below. Better to try it as well.

    kubectl create secret docker-registry regcred --docker-server=<your-registry-server> 
    --docker-username=<your-name> 
    --docker-password=<your-pword> 
    --docker-email=<your-email>
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search