Pull private OCI images into your clusters using imagePullSecrets - on Thalassa Cloud or anywhere with network access.
You’ve pushed an image to Thalassa Cloud Container Registry. Now you want your Kubernetes cluster to pull it. Good news: there’s nothing exotic about this. It’s the same imagePullSecrets flow you’d use with any private registry - Docker Hub, ECR, whatever you’ve worked with before.
This post walks you through it step by step, from credentials to a running pod. If you want the full reference, the Kubernetes guide has that covered. Think of this as the short version you can follow along with.
Make sure you have these three things ready:
Thalassa Clouddocker login, and at least one tagged image.containerRegistry:pull or containerRegistry scope, or IAM pull permission). The Access control docs explain how to set this up with least privilege.Your image URL follows this pattern:
registry.nl-01.thalassa.cloud/acme-platform/my-app:v1.0.0
That’s {registry-host}/{namespace}/{repository}:{tag}.
Kubernetes needs a secret to authenticate against the registry. Create one with the same credentials you’d use for docker login:
kubectl create secret docker-registry thalassa-registry \
--docker-server=registry.nl-01.thalassa.cloud \
--docker-username=<access-credential-key> \
--docker-password=<access-credential-secret>
Now wire up your Deployment. Point at the registry image and tell Kubernetes which secret to use:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
imagePullSecrets:
- name: thalassa-registry
containers:
- name: my-app
image: registry.nl-01.thalassa.cloud/acme-platform/my-app:v1.0.0
ports:
- containerPort: 8080
That imagePullSecrets line is the important bit. Without it - and without a default on the service account - Kubernetes has no way to log in. Your pod will sit in ImagePullBackOff until you fix it.
Apply the manifest and check that pods come up:
kubectl apply -f my-app-deployment.yaml
kubectl get pods
kubectl describe pod <pod-name>
If something goes wrong, these are the usual suspects:
| Check | What to verify |
|---|---|
| Secret namespace | The thalassa-registry secret exists in the same namespace as the Deployment |
| Credentials | The credential has containerRegistry:pull scope or IAM pull permission |
| Image path | Path matches {registry-host}/{namespace}/{repository}:{tag} exactly |
| Network | The cluster can reach the regional registry endpoint (no firewall blocking HTTPS) |
| Tag exists | The tag was pushed successfully - confirm in the console or with docker pull locally |
kubectl describe pod is your friend here. The kubelet error message usually tells you whether it’s auth, a missing tag, or a network problem.
European Public Cloud
Deploy and manage your cloud-native applications with our European based public cloud. Access powerful APIs, Kubernetes orchestration, and DevOps tools designed for modern infrastructure.
EU Data Sovereignty
Terraform & REST API
Self-Service Kubernetes as a Service
NVMe Storage, CPU and network
Code. Ship. Scale. • Pay-as-you-go pricing
Running Kubernetes on Thalassa Cloud? Container Registry keeps your images in Europe, close to your clusters.
