CentOS Stream 10: Use Private Registry
Set up a private container registry to store and distribute container images in a Kubernetes cluster on CentOS Stream 10.
Configure Private Registry to pull container images from self Private Registry.
This example is based on the environment like follows.
+----------------------+ +----------------------+
| [ ctrl.srv.world ] | | [ dlp.srv.world ] |
| Manager Node | | Control Plane |
+-----------+----------+ +-----------+----------+
eth0|10.0.0.25 eth0|10.0.0.30
| |
------------+--------------------------+-----------
| |
eth0|10.0.0.51 eth0|10.0.0.52
+-----------+----------+ +-----------+----------+
| [ node01.srv.world ] | | [ node02.srv.world ] |
| Worker Node#1 | | Worker Node#2 |
+----------------------+ +----------------------+
Step 1
On a Node you'd like to run Private Registry Pod,
Configure Registry with basic authentication and HTTPS connection (with valid certificate).
On this example, Registry Pod is running on Manager Node.
Step 2
Add Secret in Kubernetes.
login to the Registry once with a user
[cent@ctrl ~]$ podman login ctrl.srv.world:5000
Username: serverworld
Password:
Login Succeeded!
then following file is generated
[cent@ctrl ~]$ ll /run/user/$(id -u)/containers/auth.json
-rw-------. 1 cent cent 91 May 20 13:12 /run/user/1000/containers/auth.json
[cent@ctrl ~]$ AUTH=$(cat /run/user/$(id -u)/containers/auth.json | base64 | tr -d '\n')
<span class="color1">cat <<EOF > regcred.yml
apiVersion: v1
kind: Secret
data:
.dockerconfigjson: ${AUTH}
metadata:
name: regcred
type: kubernetes.io/dockerconfigjson
EOF </span>
[cent@ctrl ~]$ kubectl apply -f regcred.yml
secret "regcred" created
[cent@ctrl ~]$ kubectl get secrets
NAME TYPE DATA AGE
regcred kubernetes.io/dockerconfigjson 1 5s
Step 3
To pull images from self Private Registry, Specify private image and Secret when deploying pods like follows.
[cent@ctrl ~]$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
ctrl.srv.world:5000/nginx my-registry a830707172e8 4 weeks ago 197 MB
docker.io/library/nginx latest a830707172e8 4 weeks ago 197 MB
[cent@ctrl ~]$ vi private-nginx.yml
apiVersion: v1
kind: Pod
metadata:
name: private-nginx
spec:
containers:
- name: private-nginx
<span class="color2"># image on Private Registry</span>
image: ctrl.srv.world:5000/nginx:my-registry
imagePullSecrets:
<span class="color2"># Secret name you added</span>
- name: regcred
[cent@ctrl ~]$ kubectl create -f private-nginx.yml
pod "private-nginx" created
[cent@ctrl ~]$ kubectl get pods
NAME READY STATUS RESTARTS AGE
private-nginx 1/1 Running 0 5s
[cent@ctrl ~]$ kubectl describe pods private-nginx
Name: private-nginx
Namespace: default
Priority: 0
Service Account: default
Node: node01.srv.world/10.0.0.51
Start Time: Tue, 20 May 2025 13:16:29 +0900
Labels: <none>
Annotations: cni.projectcalico.org/containerID: 47baf590e146fba139f9431e35dea72e04d49323f496341ebdfcb5bc387bfd92
cni.projectcalico.org/podIP: 192.168.40.204/32
cni.projectcalico.org/podIPs: 192.168.40.204/32
Status: Running
IP: 192.168.40.204
IPs:
IP: 192.168.40.204
Containers:
private-nginx:
Container ID: cri-o://af0370323e7b99d1b09f01a2ffed2a39a3f750bd0fbbfc0ffe35f09d9ca24502
Image: ctrl.srv.world:5000/nginx:my-registry
Image ID: ctrl.srv.world:5000/nginx@sha256:82e6a071627fc52d9777dcc8696d3934969250fd219ea88906104b25165cb136
Port: <none>
Host Port: <none>
State: Running
Started: Tue, 20 May 2025 13:16:30 +0900
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-f7kxn (ro)
.....
.....