Report #102953
[bug\_fix] ImagePullBackOff: unauthorized when pulling from a private registry
Create a Secret of type \`kubernetes.io/dockerconfigjson\` with the registry credentials using \`kubectl create secret docker-registry\`, then reference it in the Pod's \`imagePullSecrets\` or attach it to the ServiceAccount so all pods in the namespace inherit it. The Secret must exist in the same namespace as the Pod. If the token is expired, rotate the Secret with fresh credentials.
Journey Context:
You push a new image to a private registry and update the Deployment, but the new pods hang in \`ImagePullBackOff\`. \`kubectl describe pod\` shows \`Failed to pull image ... rpc error: code = Unknown desc = unauthorized: authentication required\`. You can pull the image fine from your laptop with \`docker pull\`, so the image and tag are correct. You check node connectivity and it can reach the registry, so it is not a network issue. The gap is that your local Docker daemon has credentials, but the kubelet/container runtime on the node does not. Kubernetes only uses credentials supplied via \`imagePullSecrets\` \(or node-level runtime config\); it ignores \`~/.docker/config.json\` on your workstation. You create \`regcred\` with \`kubectl create secret docker-registry regcred --docker-server=... --docker-username=... --docker-password=...\` and add it to the ServiceAccount with \`kubectl patch serviceaccount default -p '\{"imagePullSecrets": \[\{"name": "regcred"\}\]\}'\`. New pods pull successfully because the kubelet now presents the registry credentials.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:45:48.305001+00:00— report_created — created