Skip to content
Documentation
Container Registry
Guides
Kubernetes

Using Container Registry with Kubernetes

This guide shows how to pull images from Thalassa Cloud Container Registry in Kubernetes workloads using imagePullSecrets.

Prerequisites

  • A namespace with at least one pushed image — see Getting started
  • A Kubernetes cluster on Thalassa Cloud or elsewhere with network access to the regional registry endpoint
  • An access credential or service account with pull access (containerRegistry:pull or containerRegistry scope, or IAM pull permission)

Step 1: Create an imagePullSecret

Create a Kubernetes secret with the same registry credentials used for docker login:

kubectl create secret docker-registry thalassa-registry \
  --docker-server=registry.nl-01.thalassa.cloud \
  --docker-username=<access-credential-key> \
  --docker-password=<access-credential-secret>

Replace registry.nl-01.thalassa.cloud with your namespace’s regional hostname.

For production, use a dedicated service account with pull-only scope. See Access control for least-privilege guidance.

Step 2: Reference the image in a Deployment 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      imagePullSecrets:
        - name: thalassa-registry
      containers:
        - name: my-app
          image: registry.nl-01.thalassa.cloud/acme-platform/my-app:v1.0.0
          ports:
            - containerPort: 8080

The imagePullSecrets field tells Kubernetes which credentials to use when pulling from the private registry.

Step 3: Apply and verify 

kubectl apply -f my-app-deployment.yaml
kubectl get pods
kubectl describe pod <pod-name>

If the image pull fails, check:

  • The secret exists in the same namespace as the Deployment
  • Credentials include pull scope or IAM pull permission
  • The image path matches {registry-host}/{namespace}/{repository}:{tag}
  • The cluster can reach the regional registry endpoint

Default imagePullSecret (optional)

To avoid specifying imagePullSecrets on every pod, attach a default pull secret to the Kubernetes service account:

kubectl patch serviceaccount default \
  -p '{"imagePullSecrets": [{"name": "thalassa-registry"}]}'

Pods using that service account will inherit the secret automatically.

Public namespaces

If your namespace is configured as public, Kubernetes can pull images without imagePullSecrets. Keep production images in private namespaces and use authenticated pull.

See Namespace configuration for visibility settings.

Related documentation

Namespace configurationCI/CD