Reference Documentation

Design docs, concept definitions, and references for APIs and CLIs.

Edit This Page

kubectl create secret docker-registry

Create a secret for use with a Docker registry


Create a new secret for use with Docker registries.

Dockercfg secrets are used to authenticate against Docker registries.

When using the Docker command line to push images, you can authenticate to a given registry by running ‘docker login DOCKER_REGISTRY_SERVER –username=DOCKER_USER –password=DOCKER_PASSWORD –email=DOCKER_EMAIL’. That produces a ~/.dockercfg file that is used by subsequent ‘docker push’ and ‘docker pull’ commands to authenticate to the registry.

When creating applications, you may have a Docker registry that requires authentication. In order for the nodes to pull images on your behalf, they have to have the credentials. You can provide this information by creating a dockercfg secret and attaching it to your service account.

kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-literal=key1=value1] [--dry-run]


# If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using:
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL


      --docker-email string       Email for Docker registry
      --docker-password string    Password for Docker registry authentication
      --docker-server string      Server location for Docker registry (default "")
      --docker-username string    Username for Docker registry authentication
      --dry-run                   If true, only print the object that would be sent, without sending it.
      --generator string          The name of the API generator to use. (default "secret-for-docker-registry/v1")
      --include-extended-apis     If true, include definitions of new APIs via calls to the API server. [default true] (default true)
      --no-headers                When using the default or custom-column output format, don't print headers.
  -o, --output string             Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [], golang template [] and jsonpath template [].
      --output-version string     Output the formatted object with the given group version (for ex: 'extensions/v1beta1').
      --save-config               If true, the configuration of current object will be saved in its annotation. This is useful when you want to perform kubectl apply on this object in the future.
      --schema-cache-dir string   If non-empty, load/store cached API schemas in this directory, default is '$HOME/.kube/schema' (default "~/.kube/schema")
  -a, --show-all                  When printing, show all resources (default hide terminated pods.)
      --show-labels               When printing, show all labels as the last column (default hide labels column)
      --sort-by string            If non-empty, sort list types using this field specification.  The field specification is expressed as a JSONPath expression (e.g. '{}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
      --template string           Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
      --validate                  If true, use a schema to validate the input before sending it (default true)

Options inherited from parent commands

      --alsologtostderr value          log to standard error as well as files
      --as string                      Username to impersonate for the operation
      --certificate-authority string   Path to a cert. file for the certificate authority
      --client-certificate string      Path to a client certificate file for TLS
      --client-key string              Path to a client key file for TLS
      --cluster string                 The name of the kubeconfig cluster to use
      --context string                 The name of the kubeconfig context to use
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string              Path to the kubeconfig file to use for CLI requests.
      --log-backtrace-at value         when logging hits line file:N, emit a stack trace (default :0)
      --log-dir value                  If non-empty, write log files in this directory
      --logtostderr value              log to standard error instead of files
      --match-server-version           Require server version to match client version
  -n, --namespace string               If present, the namespace scope for this CLI request
      --password string                Password for basic authentication to the API server
  -s, --server string                  The address and port of the Kubernetes API server
      --stderrthreshold value          logs at or above this threshold go to stderr (default 2)
      --token string                   Bearer token for authentication to the API server
      --user string                    The name of the kubeconfig user to use
      --username string                Username for basic authentication to the API server
  -v, --v value                        log level for V logs
      --vmodule value                  comma-separated list of pattern=N settings for file-filtered logging
Auto generated by spf13/cobra on 2-Sep-2016



Create Issue Edit This Page