Does containerd runtime ignore imagePullSecrets?

christian2 · September 18, 2023, 11:20am

I am observing issues where my Kubernetes cluster cannot pull images from private registries any more. This may be the case since I switched its runtime from Docker to containerd. imagePullSecret tags and the corresponding secrets are still in place.

One can find descriptions that suggest that with containerd image pull credentials have to be placed in /etc/containerd/config.toml instead.

What is the latest normative documentation for this case: Should containerd (when serving as Kubernetes container runtime) be able to pick up image pull credentials from Kubernetes secrets in the “normal” way or can these not serve with that particular runtime?

Cluster information:

Kubernetes version: 1.27.1
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Debian
CNI and version: Cilium
CRI and version: containerd 1.6.21

christian2 · September 25, 2023, 7:46am

It looks by now as if the problem only occurs in conjunction with secrets that are backed by the Vault External Secrets Operator (ESO). So I suspect the root cause is “somehow” in the combination between containerd and ESO.

Topic		Replies	Views
Microk8s can't pull image from a private registry with ssl self signed certificate microk8s docs	4	7375	April 22, 2022
Getting ImagePullBackOf error while deploying the app using containerd General Discussions	2	368	July 14, 2022
Unable to retrieve pull secret for kubelet Chinese development	0	652	April 3, 2023
Using an external private secure registry with microk8s microk8s	2	5316	March 28, 2019
Kubernetes Cluster Deployment from a private docker registry General Discussions	1	1073	July 16, 2019

Does containerd runtime ignore imagePullSecrets?

Cluster information:

Related Topics