By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
You’re a DevOps engineer deploying microservices to Kubernetes. Your team builds Docker images in CI/CD, but when you try to deploy, the cluster can’t pull the image. Logs show:
Failed to pull image "myapp:v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for myapp, repository does not exist or may require 'docker login'
Why? You forgot to push the image to a registry, or you tagged it incorrectly.
Docker Hub and private registries (like AWS ECR, Google GCR, or self-hosted Harbor) are the central storage for your container images—like GitHub for code, but for Docker. If you don’t master tagging, pushing, and pulling, your deployments will fail silently, your CI/CD pipelines will break, and you’ll waste hours debugging "image not found" errors.
Real-world scenario:- You inherit a legacy app with hardcoded latest tags in Kubernetes manifests. A bad deploy overwrites the image, and now all environments are broken because latest is mutable.- Your company enforces image scanning for vulnerabilities. If you push to Docker Hub (public), you expose proprietary code. If you use a private registry, you must authenticate securely.- You’re on-call, and a production pod crashes. You need to roll back to a known-good image—but only if you tagged it properly.
latest
This guide teaches you: ✅ How to tag images for immutability (no more latest disasters).✅ How to push/pull from Docker Hub and private registries (AWS ECR, GCR, etc.).✅ How to securely authenticate without leaking credentials.✅ How to debug registry issues in Kubernetes.
nginx:1.25
nginx:latest
myapp:v1.2.3
v1.2.3
myapp:abc123
[REGISTRY/]REPO[:TAG]
[REGISTRY/]REPO[@DIGEST]
123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1
123456789012.dkr.ecr...
sha256:abc123...
docker login
~/.docker/config.json
docker push
docker pull
push
pull
denied: requested access to the resource is denied
pod.spec.imagePullSecrets
docker --version
Dockerfile
FROM nginx:alpine
Goal: Build an image with a semantic version tag (not latest).
bash docker build -t myapp:v1.0.0 .
-t
name:tag
. = build context (current directory).
.
Verify the tag: bash docker images | grep myapp Expected output: REPOSITORY TAG IMAGE ID CREATED SIZE myapp v1.0.0 abc123def456 2 minutes ago 23MB
bash docker images | grep myapp
REPOSITORY TAG IMAGE ID CREATED SIZE myapp v1.0.0 abc123def456 2 minutes ago 23MB
Tag the same image with multiple names (e.g., for different registries): bash docker tag myapp:v1.0.0 mydockerhubusername/myapp:v1.0.0 docker tag myapp:v1.0.0 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1.0.0
bash docker tag myapp:v1.0.0 mydockerhubusername/myapp:v1.0.0 docker tag myapp:v1.0.0 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1.0.0
This doesn’t duplicate the image—just adds aliases.
Verify all tags: bash docker images | grep myapp Expected output: myapp v1.0.0 abc123def456 5 minutes ago 23MB mydockerhubusername/myapp v1.0.0 abc123def456 5 minutes ago 23MB 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp v1.0.0 abc123def456 5 minutes ago 23MB
myapp v1.0.0 abc123def456 5 minutes ago 23MB mydockerhubusername/myapp v1.0.0 abc123def456 5 minutes ago 23MB 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp v1.0.0 abc123def456 5 minutes ago 23MB
Goal: Push an image to Docker Hub and pull it from another machine.
bash docker login
Credentials are stored in ~/.docker/config.json.
Push the image: bash docker push mydockerhubusername/myapp:v1.0.0
bash docker push mydockerhubusername/myapp:v1.0.0
If you get denied: requested access to the resource is denied, you forgot to tag with your username.
Verify on Docker Hub:
https://hub.docker.com/r/mydockerhubusername/myapp/tags
You should see v1.0.0.
v1.0.0
Pull the image from another machine: bash docker pull mydockerhubusername/myapp:v1.0.0
bash docker pull mydockerhubusername/myapp:v1.0.0
Goal: Push an image to AWS ECR and configure Kubernetes to pull it.
myapp
123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp
bash curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install
bash aws configure
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
bash aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com
bash docker tag myapp:v1.0.0 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1.0.0
bash docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1.0.0
imagePullSecret
bash kubectl create secret docker-registry ecr-creds \ --docker-server=123456789012.dkr.ecr.us-east-1.amazonaws.com \ --docker-username=AWS \ --docker-password=$(aws ecr get-login-password --region us-east-1) \ [email protected]
bash kubectl apply -f pod.yaml
bash kubectl get pods
myapp@sha256:abc123...
docker system prune
actions/cache
kubectl describe pod myapp
docker push myapp:v1
mydockerhubusername/myapp:v1
unauthorized
imagePullSecrets
ImagePullBackOff
Trap: Forgetting to create the secret first.
"How do you make an image immutable?"
Trap: Tags can be overwritten; digests cannot.
"You get denied: requested access to the resource is denied when pushing. What’s wrong?"
Trap: Assuming docker push myapp:v1 works without a registry.
"How do you authenticate Docker with AWS ECR?"
aws ecr get-login-password | docker login --username AWS --password-stdin <ECR_URI>
Challenge:You have a Docker image myapp:v1 built locally. Push it to both Docker Hub and AWS ECR, then deploy it to Kubernetes using imagePullSecrets.
myapp:v1
Solution:
# 1. Tag for Docker Hub docker tag myapp:v1 mydockerhubusername/myapp:v1 # 2. Push to Docker Hub docker login docker push mydockerhubusername/myapp:v1 # 3. Tag for AWS ECR docker tag myapp:v1 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1 # 4. Authenticate and push to ECR aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1 # 5. Create Kubernetes secret kubectl create secret docker-registry ecr-creds \ --docker-server=123456789012.dkr.ecr.us-east-1.amazonaws.com \ --docker-username=AWS \ --docker-password=$(aws ecr get-login-password) \ [email protected] # 6. Deploy pod kubectl apply -f - <<EOF apiVersion: v1 kind: Pod metadata: name: myapp spec: containers: - name: myapp image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1 imagePullSecrets: - name: ecr-creds EOF
Why it works:- Proper tagging ensures the image is pushed to the correct registry.- imagePullSecrets allows Kubernetes to authenticate with ECR.
docker build -t name:tag .
docker build -t myapp:v1 .
docker tag src:tag dst:tag
docker tag myapp:v1 mydockerhub/myapp:v1
docker push repo:tag
docker push mydockerhub/myapp:v1
docker pull repo:tag
docker pull nginx:alpine
aws ecr get-login-password \| docker login ...
kubectl create secret docker-registry ...
docker images
docker rmi image:tag
docker rmi myapp:v1
123456789012.dkr.ecr.../myapp:v1
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.