Continuing my venture into Kubernetes I got annoyed that I had to add the imagePullSecrets to all of my pods. Turns out, there's a way to do it at the namespace level. Unfortunately it cannot be done at the cluster level.

There is two things that must be done for this to work, create the image secret and update the default service account. After this is done you should not have to add the imagePullSecrets directive in your YAML files.

Create your image pull secret

To create the image secret, there are number of documented ways here. https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/.

Add secret to the default service account

With the secret created, we need to set the image pull secret on the default service account. We do this using a patch command with kubectl.

kubectl patch serviceaccount default \
    -p "{\"imagePullSecrets\": [{\"name\": \"yourregistrykeyname\"}]}"

I highly recommend putting the above command in a shell script and checking it in to source along side your other Kubernetes related configuration and/or YAML files. This way you can change it whenever needed and you have it documented.

Conclusion

Personally I like specifying the username/password on the command line when creating or updating the image secret so I don't have them checked in to source control. As a practice you do check all of your YAML in source control? I'm of the mindset that if you do not check in your YAML, you do not deserve to use Kubernetes.