Pull an Image From a Private Registry

Pull environment images from a private registry by passing an imagePullSecret to fission environment create with –imagepullsecret.

With 1.7.0+, you can specify which credential to use for kubelet to pull images from the private registry.

First, you need to follow the kubernetes guide to create the secret.

The secret must be created in the namespace where the function pods run. By default this is the namespace where your Fission resources live (for example, default); confirm with kubectl get pods -l environmentName=<env> to see where the pods are scheduled.

Then, specify the secret when creating the environment.

For example, if we want to create a nodejs environment and use secret docker-secret as credential.

$ fission environment create --name nodejs --image ghcr.io/fission/node-env \
    --imagepullsecret "docker-secret"

You should see imagePullSecrets in the environment deployment like following.

$ kubectl -n fission-function get deploy -l environmentName=nodejs -o yaml

apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: Deployment
  metadata:
    name: poolmgr-nodejs-default-217063
    namespace: fission-function
    ...
  spec:
    ...
    template:
      ...
      spec:
        ...
        imagePullSecrets:
        - name: docker-secret

Fission won’t check if a secret exists nor examining whether the secret setting works as expected.
You have to check the pod status to ensure everything works as expected.

Last modified June 6, 2026: SEO + LLM-friendliness: JSON-LD, llms.txt, descriptions, robots, titles (#289) (6cead82)