/registry-creds

Replicate Kubernetes ImagePullSecrets to all namespaces

Primary LanguageGoMIT LicenseMIT

registry-creds operator

CI status

This operator can be used to propagate a single ImagePullSecret to all namespaces within your cluster, so that images are pulled using authentication.

See also: ROADMAP.md

Use-case: Propagate a private registry secret to all namespaces

The second use-case for this operator is to take an authentication token which is required to pull images from a private registry, and to make sure it's available and configured for each and every namespace.

For example, if you were running a multi-tenant service, where customers had their own namespaces, and every Pod was pulled from a common private registry. You could use this operator to automate what would otherwise be a manual and error-prone process.

Use-case: Docker Hub Rate Limits

The original need for this operator, was to make it easier for users of Kubernetes to consume images from the Docker Hub after recent pricing and rate-limiting changes were brought in, an authenticated account is now required to pull images.

These are the limits as understood at time of writing:

  • Unauthenticated users: 100 pulls / 6 hours
  • Authenticated users: 200 pulls / 6 hours
  • Paying, authenticated users: unlimited downloads

Read also: Docker Hub rate limits & pricing

Pulling images with authentication is required in two scenarios:

  • To extend the Docker Hub anonymous pull limits to a practical number
  • To access private registries or repos on the Docker Hub

The normal process is as follows, which becomes tedious and repetitive when you have more than one namespace in a cluster.

  • Create a secret
  • Edit your service account, and add the name of the secret to imagePullSecrets

Getting Started

License

MIT