kubernetes: initContainers does not accept imagePullSecrets

What happened: initContainers does not accept imagePullSecrets. No way to configure a secret so initContainers can connect to a private repository.

What you expected to happen: Adding an imagePullSecrets under spec should work for both container and initContainers

How to reproduce it (as minimally and precisely as possible): Have a template with both container and initContainer. Define a imagePullSecret under spec. Use a private repository where you authenticate with secret.

You will get imagePullBackoff and cannot connect to repository for your images that need to be pulled from your init containers.

Anything else we need to know?:

Environment:

Kubernetes version (use kubectl version): 1.8.11
Cloud provider or hardware configuration: Docker EE with Kubernetes, DTR (Docker Trusted Registry)
OS (e.g. from /etc/os-release): alpine
Kernel (e.g. uname -a):
Install tools:
Others:

/kind bug

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 4
Comments: 55 (21 by maintainers)

Most upvoted comments

      initContainers:
        - name: wait-for-database
          image: image-name
          command: ["/usr/local/bin/wait-for-main-controller-database.sh", "postgresql"]
          imagePullPolicy: Always
          imagePullSecrets:
            - name: regcred

ends with

error validating data: ValidationError(Deployment.spec.template.spec.initContainers[0]): unknown field "imagePullSecrets" in io.k8s.api.core.v1.Container; if you choose to ignore these errors, turn validation off with --validate=false

ghost on Sep 17, 2019

Just encountered this issue. Setting imagePullSecrets at the top level which should apply to containers and initContainers but not seeing that working. Init containers are failing to pull down the Docker image.

I think the reason why this issue breaks and then seems to magically work is if the Kubernetes worker nodes download the Docker image from the root containers then the next time initContainers runs it has the Docker image cached (no auth needed). I was able to replicate this error if the Docker image is brand new (not on any workers) and failing to auth using imagePullSecrets.

spec:
  template:
    spec:
      initContainers:
        ...
      containers:
        ...
      imagePullSecrets:
        - name: regcred

Running:

Kubernetes v1.20.7

nodesocket on Mar 23, 2022

It still does not work. :< initContainers can’t pull images from private repo. unauthorized: authentication required /reopen

Dysproz on Jul 4, 2019

I’m on v1.12.6-3+602d21b1679fa5. init containers still don’t seem to use imagePullSecrets from the spec.

aseempatni on Apr 14, 2019

seems like it is working now - I’ve got all private repos for both containers and initContainers and it works with imagePullSecrets defined in the spec block.

xanoinc on Nov 6, 2019

@Jyny: You can’t reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

Having same issue, can we reopen this? /reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot on Sep 8, 2021

      initContainers:
        - name: wait-for-database
          image: image-name
          command: ["/usr/local/bin/wait-for-main-controller-database.sh", "postgresql"]
          imagePullPolicy: Always
          imagePullSecrets:
            - name: regcred

ends with

error validating data: ValidationError(Deployment.spec.template.spec.initContainers[0]): unknown field "imagePullSecrets" in io.k8s.api.core.v1.Container; if you choose to ignore these errors, turn validation off with --validate=false

The fix is: imagePullSecrets must be specified on top level under spec.template.spec. It then is used for both the initContainers and normal containers.

dpoetzsch on Nov 22, 2020