Skip to content

Private Registries

Private registries

You can configure a private container registry to store your OpenFaaS functions.

Use a private registry with Kubernetes

OpenFaaS Standard/for Enterprises

Private registry support is part of OpenFaaS Standard/for Enterprises.

If you are using a hosted private Docker registry (Docker Hub, or other), in order to check how to configure it, please visit the Kubernetes documentation.

If you try to deploy using faas-cli deploy it will fail because the Kubernetes kubelet component will not have credentials to authorize the docker image pull request.

Once you have pushed an image to a private registry using faas-cli push follow the instructions below to either create a pull secret that can be referenced by each function which needs it, or create a secret for the ServiceAccount in the openfaas-fn namespace so that any functions which need it can make use of it.

If you need to troubleshoot the use of a private image then see the Kubernetes section of the troubleshooting guide.

You can set up your own private Docker registry using this tutorial: Get a TLS-enabled Docker registry in 5 minutes

Rather than specifying the pull secret for each function that needs it you can bind the secret to the namespace's ServiceAccount. With this option you do not need to update the secrets: section of the stack.yml file.

Create the image pull secret in the openfaas-fn namespace (or equivalent):

$ kubectl create secret docker-registry docker-hub-creds \
    --docker-username=$DOCKER_USERNAME \
    --docker-password=$DOCKER_PASSWORD \
    --docker-email=$DOCKER_EMAIL \
    --namespace openfaas-fn

If you're not using the Docker Hub, then pass in the --docker-server flag, i.e.

Use the following command to edit the default ServiceAccount's configuration, and to add the imagePullSecret:

kubectl patch serviceaccount -n openfaas-fn default -p '{"imagePullSecrets": [{"name": "docker-hub-creds"}]}'

Alternatively, you can edit the list of pull secrets manually:

$ kubectl edit serviceaccount default -n openfaas-fn

At the bottom of the manifest add:

- name: docker-hub-creds

Save the changes in the editor and this configuration will be applied.

The OpenFaaS controller will now deploy functions with images in private repositories without having to specify the secret in the stack.yml file.

If you need to deploy from multiple private container registries, repeat the steps above, then include each secret in the list of imagePullSecrets.

Set a custom ImagePullPolicy

Kubernetes allows you to control the conditions for when the Docker images for your functions are pulled onto a node. This is configured through an imagePullPolicy.

There are three options:

  • Always - pull the Docker image from the registry every time a deployment changes
  • IfNotPresent - only pull the image if it does not exist in the local registry cache
  • Never - never attempt to pull an image

By default, deployed functions will use an imagePullPolicy of Always, which ensures functions using static image tags (e.g. "latest" tags) are refreshed during an update. This behavior is configurable in faas-netes via the image_pull_policy environment variable.

If you're using helm you can pass a configuration flag:

helm upgrade openfaas openfaas/openfaas --install --set "functions.imagePullPolicy=IfNotPresent"

If you're using the plain YAML files then edit gateway-dep.yml and set the following for faas-netes:

  - name: image_pull_policy
    value: "IfNotPresent"

Option 2 - use an ad-hoc image pull secret

This option is not recommended, but is a possibility.

To deploy your function(s) first you need to create an Image Pull Secret with the commands below.

Setup some environmental variables:

export DOCKER_USERNAME=<your_docker_username>
export DOCKER_PASSWORD=<your_docker_password>
export DOCKER_EMAIL=<your_docker_email>

Then run this command to create the secret:

$ kubectl create secret docker-registry dockerhub \
    -n openfaas-fn \
    --docker-username=$DOCKER_USERNAME \
    --docker-password=$DOCKER_PASSWORD \

Note if not using the Docker Hub you will also need to pass --docker-server and the address of your remote registry.

The secret must be created in the openfaas-fn namespace or the equivalent if you have customised this.

Create a sample function with a --prefix variable:

faas-cli new --lang go private-fn --prefix=registry:port/repo
mv private-fn.yml stack.yml

Update the stack.yml file and add a reference to the new secret:

      - dockerhub

Now deploy the function using faas-cli up.


For faasd, configuration see the official handbook: Serverless For Everyone Else