- Mount a Config File to Each Node

Private Registries

Kubernetes supports configuring pods to use for pulling images. If possible, this is the preferable and most portable route.

See , kind does not require any special handling to use this.

kind can load an image from the host with the kind load ... commands. If you configure your host with credentials to pull the desired image(s) and then load them to the nodes you can avoid needing to authenticate on the nodes.

Add Credentials to the Nodes

Generally the upstream docs for apply, with kind there are two options for this.

Assuming your file is at /path/to/my/secret.json, the kind config would be:

kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane extraMounts: - containerPath: /var/lib/kubelet/config.json hostPath: /path/to/my/secret.json

### Use an Access Token A credential can be programmatically added to the nodes at runtime. If you do this then kubelet must be restarted on each node to pick up the new credentials. An example shell snippet for generating a gcr.io cred file on your host machine using Access Tokens: #!/bin/sh set -o errexit # desired cluster name; default is “kind” KIND_CLUSTER_NAME=”${KIND_CLUSTER_NAME:-kind}” # create a temp file for the docker config echo “Creating temporary docker client config directory …” DOCKER_CONFIG=$(mktemp -d) export DOCKER_CONFIG trap ‘echo “Removing ${DOCKER_CONFIG}/*“ && rm -rf ${DOCKER_CONFIG:?}’ EXIT echo “Creating a temporary config.json” # This is to force the omission of credsStore, which is automatically # created on supported system. With credsStore missing, “docker login” # will store the password in the config.json file. # cat <“${DOCKER_CONFIG}/config.json” { “auths”: { “gcr.io”: {} } } EOF # login to gcr in DOCKER_CONFIG using an access token # https://cloud.google.com/container-registry/docs/advanced-authentication#access\_token echo “Logging in to GCR in temporary docker client config directory …” gcloud auth print-access-token | \ docker login -u oauth2accesstoken —password-stdin # setup credentials on each node echo “Moving credentials to kind cluster name=’${KIND_CLUSTER_NAME}’ nodes …” for node in $(kind get nodes —name “${KIND_CLUSTER_NAME}”); do # the -oname format is kind/name (so node/name) we just want name node_name=${node#node/} # copy the config to where kubelet will look docker cp “${DOCKER_CONFIG}/config.json” “${node_name}:/var/lib/kubelet/config.json” # restart kubelet to pick up the config docker exec “${node_name}” systemctl restart kubelet.service done echo “Done!”