Step-by-step instructions for performing operations with Kubernetes.

Edit This Page

Pull an Image from a Private Registry

This page shows how to create a Pod that uses a Secret to pull an image from a private Docker registry or repository.

Before you begin

Log in to Docker

docker login

When prompted, enter your Docker username and password.

The login process creates or updates a config.json file that holds an authorization token.

View the config.json file:

cat ~/.docker/config.json

The output contains a section similar to this:

    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "c3R...zE2"

NOTE: If you use a Docker credentials store, you won’t see that auth entry but a credsStore entry with the name of the store as value.

Create a Secret that holds your authorization token

Create a Secret named regsecret:

kubectl create secret docker-registry regsecret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>


Understanding your Secret

To understand what’s in the Secret you just created, start by viewing the Secret in YAML format:

kubectl get secret regsecret --output=yaml

The output is similar to this:

apiVersion: v1
  .dockercfg: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
kind: Secret
  name: regsecret
type: kubernetes.io/dockercfg

The value of the .dockercfg field is a base64 representation of your secret data.

Copy the base64 representation of the secret data into a file named secret64.

Important: Make sure there are no line breaks in your secret64 file.

To understand what is in the .dockercfg field, convert the secret data to a readable format:

base64 -d secret64

The output is similar to this:


Notice that the secret data contains the authorization token from your config.json file.

Create a Pod that uses your Secret

Here is a configuration file for a Pod that needs access to your secret data:

apiVersion: v1
kind: Pod
  name: private-reg
    - name: private-reg-container
      image: <your-private-image>
    - name: regsecret

Copy the contents of private-reg-pod.yaml to your own file named my-private-reg-pod.yaml. In your file, replace <your-private-image> with the path to an image in a private repository.

Example Docker Hub private image:


To pull the image from the private repository, Kubernetes needs credentials. The imagePullSecrets field in the configuration file specifies that Kubernetes should get the credentials from a Secret named regsecret.

Create a Pod that uses your Secret, and verify that the Pod is running:

kubectl create -f my-private-reg-pod.yaml
kubectl get pod private-reg

What’s next


Create an Issue Edit this Page