You can configure a private container registry to store your OpenFaaS functions.
Use a private registry with Kubernetes¶
OpenFaaS Standard/for Enterprises
Private registry support is part of OpenFaaS Standard/for Enterprises.
If you try to deploy using
faas-cli deploy it will fail because the Kubernetes kubelet component will not have credentials to authorize the docker image pull request.
Once you have pushed an image to a private registry using
faas-cli push follow the instructions below to either create a pull secret that can be referenced by each function which needs it, or create a secret for the ServiceAccount in the
openfaas-fn namespace so that any functions which need it can make use of it.
If you need to troubleshoot the use of a private image then see the Kubernetes section of the troubleshooting guide.
You can set up your own private Docker registry using this tutorial: Get a TLS-enabled Docker registry in 5 minutes
Option 1 - Link an image pull secret to the namespace's ServiceAccount¶
Rather than specifying the pull secret for each function that needs it you can bind the secret to the namespace's ServiceAccount. With this option you do not need to update the
secrets: section of the
Create the image pull secret in the
openfaas-fn namespace (or equivalent):
$ kubectl create secret docker-registry my-private-repo \
If needed, pass in the
Use the following command to edit the default ServiceAccount's configuration:
$ kubectl edit serviceaccount default -n openfaas-fn
At the bottom of the manifest add:
- name: my-private-repo
Save the changes in the editor and this configuration will be applied.
The OpenFaaS controller will now deploy functions with images in private repositories without having to specify the secret in the
Set a custom ImagePullPolicy¶
Kubernetes allows you to control the conditions for when the Docker images for your functions are pulled onto a node. This is configured through an imagePullPolicy.
There are three options:
Always- pull the Docker image from the registry every time a deployment changes
IfNotPresent- only pull the image if it does not exist in the local registry cache
Never- never attempt to pull an image
By default, deployed functions will use an
Always, which ensures functions using static image tags (e.g. "latest" tags) are refreshed during an update. This behavior is configurable in
faas-netes via the
image_pull_policy environment variable.
If you're using helm you can pass a configuration flag:
helm upgrade openfaas openfaas/openfaas --install --set "functions.imagePullPolicy=IfNotPresent"
If you're using the plain YAML files then edit
gateway-dep.yml and set the following for
- name: image_pull_policy
Option 2 - use an ad-hoc image pull secret¶
This option is not recommended, but is a possibility.
To deploy your function(s) first you need to create an Image Pull Secret with the commands below.
Setup some environmental variables:
Then run this command to create the secret:
$ kubectl create secret docker-registry dockerhub \
-n openfaas-fn \
Note if not using the Docker Hub you will also need to pass
--docker-serverand the address of your remote registry.
The secret must be created in the
openfaas-fn namespace or the equivalent if you have customised this.
Create a sample function with a
faas-cli new --lang go private-fn --prefix=registry:port/repo
mv private-fn.yml stack.yml
stack.yml file and add a reference to the new secret:
Now deploy the function using
For faasd, configuration see the official handbook: Serverless For Everyone Else