Our great sponsors
-
imagepullsecret-patcher
Discontinued A simple Kubernetes client-go application that creates and patches imagePullSecrets to service accounts in all Kubernetes namespaces to allow cluster-wide authenticated access to private container registry.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
TitanSoft's imagepullsecret-patcher is a single-binary solution to replicating and using an image pull secret across all namespaces. It is not actively maintained, but the tool is simple enough that a small team should be able to patch and maintain a fork if needed. If you want to stick to other maintained open source tools, a reasonable solution can also be put together using external secrets operator. If you are operating a cluster at scale, you may already be using this. Red Hat's patch-operator can be used to attach the imported secrets to your service accounts across all namespaces, though there are some quirks to be wary of, due to the lack of a defined patch strategy for imagePullSecrets on service accounts.
TitanSoft's imagepullsecret-patcher is a single-binary solution to replicating and using an image pull secret across all namespaces. It is not actively maintained, but the tool is simple enough that a small team should be able to patch and maintain a fork if needed. If you want to stick to other maintained open source tools, a reasonable solution can also be put together using external secrets operator. If you are operating a cluster at scale, you may already be using this. Red Hat's patch-operator can be used to attach the imported secrets to your service accounts across all namespaces, though there are some quirks to be wary of, due to the lack of a defined patch strategy for imagePullSecrets on service accounts.
There is one significant issue with this approach, however: there is no declared patch strategy for imagePullSecrets on service accounts. Without this, the default behavior is to replace the list - so if you had any existing image pull secret references in your service account, these would be removed. See this kubernetes GitHub issue from 2019 that describes the problem in more detail, and why it has not been fixed (tl;dr: specifying a patch strategy will break backwards compatibility, and there has not yet been any desire to introduce a v2 of the ServiceAccount object kind, so we're stuck with the behavior).
The general problem of patching resource definitions that are not fully under your control has also been recognized for some time. This is true of default resources created and updated by cluster maintenance tools (e.g. kOps), or by public helm charts that you use to install common services and operators (e.g. nginx-ingress, cert-manager, and so on). High quality charts will allow you to override the configuration of important components such as service account references, but some simpler charts offer much less configuration.
Related posts
- What is the recommended way to upgrade a kubernetes cluster as new versions are released?
- Kubernetes Cluster on AWS with Kops - NodePort Service Unavailable
- kubelet does not have ClusterDNS IP configured in Microk8s
- Containers vs. Serverless from a DevOps standpoint
- Deploying and Scaling the Official Strapi Demo App "Foodadvisor" with Kubernetes