Question 81983 in Docker Question posted in
The official documentation can be found here.

Run private repository with dind in Kubernetes – Docker

I try to run my private docker image along with the docker-dind container to be able to run docker commands from the private image in Kubernetes.
My only issue is that the docker run command does not read the docker-secrets so fails by requiring to run docker login. How could I pass the credentials to the docker run command?

Here the piece of my Kubernetes deployment:

  containers:
    - name: docker-private
      image: docker:20.10
      command: ['docker', 'run', '-p', '80:8000', 'private/image:latest' ]
      resources:
        requests:
          cpu: 10m
          memory: 256Mi
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375
      envFrom:
         - secretRef:
             name: docker-secret-keys
    - name: dind-daemon
      image: docker:20.10-dind
      command: ["dockerd", "--host", "tcp://127.0.0.1:2375"]
      resources:
        requests:
          cpu: 20m
          memory: 512Mi
      securityContext:
        privileged: true
      volumeMounts:
        - name: docker-graph-storage
          mountPath: /var/lib/docker

EDIT
I do have my certificate as Kubernetes secrets that I try to mount to the running docker but until now without any success 🙁

apiVersion: v1
data:
  .dockerconfigjson: eyJhXXXXXXdoihfc9w8fwpeojfOFwhfoiuwehfo8wfhoi2ehfioewNlcm5hbWUiOiJlbGRhcmVudGas4hti45ytg45hgiVsZGFXXXXXXyQGVudG9yLmlvIiwiYXV0aCI6IlpXeGtZWEpsYm5SdmNqb3dObVl4WmpjM1lTMDVPRFZrTFRRNU5HRXRZVEUzTXkwMk5UYzBObVF4T0RjeFpUWT0ifX19XXXXXXXXXXX
kind: Secret
metadata:
  name: staging-docker-keys
  namespace: staging
  resourceVersion: "6383"
  uid: a7yduyd-xxxx-xxxx-xxxx-ae2ede3e4ed
type: kubernetes.io/dockerconfigjson

The final goal is to get the "inner docker" (that runs private/image:latest) be able to run any docker command without a need to login before each command.

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    Ok, I finally created an access token on my docker repository and used it to perform the docker login command. It works just fine :)


  2. 0

    Assuming you are not using docker cert authentication, but username and password you may follow the below path:

    • modify docker client image (docker:20.1) entrypoint using command field

    • command may look like below:

        command: ["/bin/sh"]
    args: ["-c", "docker login...;docker run..."]

    Sample working pod using the idea:

    apiVersion: v1
kind: Pod
metadata:
  name: myapp
  labels:
    name: myapp
spec:
  containers:
  - name: myapp
    image: docker:20.10
    command: ["/bin/sh"]
    args: ["-c", "docker version;docker info"]  
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"

    Based on docs

    EDIT:

    If you do use docker cert authentication, you can have many options:

    • bake the certificates by extending docker client image and using it instead.
    • mount the certificates if you have them as Kubernetes secrets in the cluster
    Login or Signup to reply.
  3. 0

    docker:dind will create ca, server, client cert in /certs.
    Just create emptyDir volume to share cert.

    apiVersion: v1
kind: Pod
metadata:
  name: myapp
  labels:
    name: myapp
spec:
  volumes:
  - name: docker-tls-certdir
    emptyDir: {}
  containers:
    - name: docker-private
      image: docker:20.10
      command: ['docker', 'run', '-p', '80:8000', 'nginx' ]
      env:
        - name: DOCKER_HOST
          value: tcp://localhost:2375
      volumeMounts:
        - name: docker-tls-certdir
          mountPath: /certs
    - name: dind-daemon
      image: docker:20.10-dind
      command: ["dockerd", "--host", "tcp://127.0.0.1:2375"]
      securityContext:
        privileged: true
      volumeMounts:
        - name: docker-tls-certdir
          mountPath: /certs
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search