Define imagePullSecrets on the default service account in kubernetes namespace

Revision history
Tags: kubernetes


I want to avoid annotating all my pods and pod template manifests with imagePullSecrets.

When imagePullSecrets hasn’t been set, the secrets of the default service account in the current namespace is used instead. If those aren’t defined either, default or no credentials are used, unless something provider specific is happening.

AFAIK, in AWS, the default service account has access to the AWS ECR based through AWS IAM.


Create a secret containing the container registry credentials in the same namespace as they will be used.

$ export NAMESPACE=myproject USERNAME=user PASSWORD='0226+1111' NAME=myproject-container-registry
$ kubectl create secret -n $NAMESPACE docker-registry --docker-server=$SERVER --docker-username=$USERNAME --docker-password="$PASSOWRD" $NAME

Patch the default service account in the same namespace with the imagePullSecrets

$ kubectl patch sa default -n $NAMESPACE -p '"imagePullSecrets": [{"name": "myproject-container-registry" }]'

The service account should now be able to authenticate itself with the remote container registry and we no longer have to specify them on each Pod or Template definition.


If you have any comments or feedback, please send me an e-mail. (stig at stigok dotcom).

Did you find any typos, incorrect information, or have something to add? Then please propose a change to this post.

Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.