Follow this guide to configure your Kubernetes server with an Artifactory container registry, and be able to pull your images from a private Artifactory registry.
To integrate Artifactory with Kubernetes, you need:
An artifactory instance with a configured Docker repository: for more information, see Set Up a Docker Repository.
A Kubernetes cluster.
To configure Kubernetes to pull containers from a private Artifactory registry:
For each relevant namespace, create a Kubernetes docker-registry secret for connecting to your Artifactory by running the following command:
kubectl create secret docker-registry regcred \ --docker-server=<JFROG-HOSTNAME> \ --docker-username=<JFROG-USERNAME> \ --docker-password=<PASSWORD> \ --docker-email=<EMAIL> \ --namespace <NAMESPACE>
Note
Make sure to replace the placeholders with your actual user information: for security reasons, it is best to choose a dedicated user which is not your Artifactory admin and has minimal required permissions.
Variable
Description
JFROG-HOSTNAME
Your JFrog hostname URL
JFROG-USERNAME
Your JFrog account username
PASSWORD
Your secret or JFrog identity token. Note that you can edit the token scope to restrict access to Artifactory.
EMAIL
The email address associated with your JFrog account
NAMESPACE
Your Kubernetes cluster namespace
For example:
➜ ~ kubectl create secret docker-registry regcred \ --docker-server=my-artifactory.jfrog.io \ --docker-username=read-only \ --docker-password=my-super-secret-pass \ --docker-email=johndoe@example.com \ --namespace my-app-ns
Set up Kubernetes to use the secret to pull images for your workloads. You can do this either for all the workloads in your namespace, or for each workload separately.
To set the secret as default to your namespace (recommended), run the following command to edit your Service Account object and add your secret name into the
imagePullSecrets
list attribute:Note
Make sure to replace the placeholder with your actual Kubernetes namespace
➜ ~ kubectl edit serviceaccount default -n <NAMESPACE> apiVersion: v1 kind: ServiceAccount imagePullSecrets: - name: regcred ...
To add the secret to every workload separately, add it into your object manifests and helm charts, see the below example:
apiVersion: apps/v1 kind: Deployment ... spec: ... template: spec: containers: - image: my-artifactory.jfrog.io/default-docker-virtual/my-app:1.0.1 imagePullSecrets: - name: regcred
Test your configuration by running the following command:
Note
Make sure to replace the placeholder with your actual Kubernetes namespace
➜ ~ kubectl get pods -n <NAMESPACE>
You should get the following response:
NAME READY STATUS RESTARTS AGE my-app-57db67b7d5-nr8db 1/1 Running 0 5m
Amazon EKS Integration
If you are using Amazon EKS, you can use JFrog’s seamless integration with AWS AssumeRole which allows JFrog Artifactory to securely serve container images to EKS. For more information, see Empowering Kubernetes Security: JFrog’s Seamless Integration with AWS AssumeRole.
For more information about Artifactory and Kubernetes, see Kubernetes Helm Chart Repositories.