Issue with pulling images from private registry in k6-operator


I was trying to use a k6 custom image(xk6-browser image with some certs) (from my private registry) in k6-operator with the help of imagePullSecrets and imagePullPolicy but always getting 401 error even when I have a valid secret with correct credentials.

While I use that custom image in a sample pod yaml file it works(image is pulled) but when I use the same custom image in k6-opertor custom resource, I’m getting 401 unauthorized error.

Can someone please help how to resolve this?

my k6 crd yaml file:
- name:
imagePullPolicy: IfNotPresent

I also have this image in my system locally, so is there a way to import local image in k6-operator? I am using docker desktop in my system.

Could someone please help?


I tried to look into the initializer pod which is created when we apply k6-customresource and observe that there is not field for ‘imagePullSecrets’ in the pod definition at all.

I suppose that imagePullSecrets is not getting applied/implemented in the initializer pod of k6 and hence returning a 401.

Where should that field be ideally located?

Can someone please respond as it’s blocking my work.

Hi @Akshayini, sorry about the delay.

I’m not familiar with k6-operator, but it seems that support for imagePullSecrets was merged a few weeks ago in PR #145. So you should be able to pull images from a private registry with it. Are you using the latest v0.0.8 of k6-operator? Also, triple check that you’re using valid credentials. I think you’re specifying imagePullSecrets correctly in your example.

The k6-operator lead maintainer is currently not available, but I’ll make sure to let her know about this when she returns.


Yes, I’m making use of the latest version of k6-operator, also the credentials that I am passing in the secret are valid.

As I told earlier, if the use the same image(from private registry) with same secret in a sample pod definition file it works for me, but when I do the same in k6-CRD it’s giving me a 401.

Also once the k6-CRD is created when I look into the k6 initializer pod yaml file I do not see ‘imagePullSecrets’ field in the definition so I am assuming it’s not being added/implemented and hence need your help.

Would be really helpful if I get a fix at the earliest.

Hi @Akshayini,

This feature worked before but I didn’t have the time to test the new release yet. I’ll try to see if I can check this today.
In the meantime, yes, you certainly can use local image with k6-operator. Just specifying the image to be the local name of it should be enough if that image is present locally. Default behaviour of imagePullPolicy is described here but with recent build of the operator it can be specified as well.

I’ll let you know once I test the imagePullSecrets again.

Hi @olha ,

Were you able to test the imagePullSecrets? Did it work?

Hi @olha

It would be really helpful if you give an update on this at the earliest, as I am struggling with pulling images from private registry since a long time now.

Hi @Akshayini,
I’ve finally checked the images: this functionality is working. My sample yaml:

    image: my-private-repo:browser
      - name: dh-secret
    imagePullPolicy: Always

dh-secret is a usual Kubernetes secret to access my private Docker Hub repo. Such a secret can be created by following this doc:

If this secret is absent, only then I get the auth error during pull:

pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

Regarding this:

I tried to look into the initializer pod which is created when we apply k6-customresource and observe that there is not field for ‘imagePullSecrets’ in the pod definition at all.

That field is part of PodSpec. So to observe it in the pod, one must use this command:

kubectl get pod k6-sample-initializer-...  -o yaml

Is that what you were doing? Could you please re-check the docs about secret creation (whether your secret was created correctly; perhaps, try to load and decode it back in CLI, etc.) and the pod spec of initializer during deployment?