dhi: add guide to use in Kubernetes

LaurentGoderre · LaurentGoderre · commit 909220ff8266 · 2025-09-10T16:08:58.000-04:00
diff --git a/content/manuals/dhi/how-to/_index.md b/content/manuals/dhi/how-to/_index.md
@@ -20,6 +20,10 @@ params:
       description: Learn how to pull, run, and reference Docker Hardened Images in Dockerfiles, CI pipelines, and standard development workflows.
       icon: play_arrow
       link: /dhi/how-to/use/
+    - title: Use a Docker Hardened Image in Kubernetes
+      description: Learn how to use Docker Hardened Images in Kubernetes deployments.
+      icon: play_arrow
+      link: /dhi/how-to/k8s/
     - title: Manage Docker Hardened Images
       description: Learn how to manage your mirrored and customized Docker Hardened Images in your organization.
       icon: reorder
diff --git a/content/manuals/dhi/how-to/k8s.md b/content/manuals/dhi/how-to/k8s.md
@@ -0,0 +1,81 @@
+---
+title: Use a Docker Hardened Image in Kubernetes
+linktitle: Use an image in Kubernetes
+description: Learn how to use Docker Hardened Images in Kubernetes deployments.
+keywords: use hardened image, kubernetes, k8s
+weight: 10
+---
+
+{{< summary-bar feature_name="Docker Hardened Images" >}}
+
+## Authentication
+
+To be able to use Docker Hardened Images in Kubernetes, you need to create a 
+Kubernetes secret for pulling image from your mirror or internal registry.
+
+> [!NOTE]
+>
+> You need to create this secret in each Kubernetes namespace that uses a DHI.
+
+To use the credentials from Docker Desktop run:
+
+```
+$ kubectl create -n <kubernetes namespace> secret generic <secret name> \
+    --from-file=.dockerconfigjson=$HOME/.docker/config.json \
+    --type=kubernetes.io/dockerconfigjson
+```
+
+Alternatively, you can create the secret manually using a Personal Access Token (PAT).
+Ensure the token has at least read-only access to private repositories. For Docker Hub
+replace`<registry server>` with `docker.io`
+
+```
+$ kubectl create -n <kubernetes namespace> secret docker-registry <secret name> --docker-server=<registry server> \
+        --docker-username=<registry user> --docker-password=<access token> \
+        --docker-email=<registry email>
+```
+
+To tests the secrets use the following command:
+
+```
+kubectl apply --wait -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dhi-test
+  namespace: <kubernetes namespace>
+spec:
+  containers:
+  - name: test
+    image: <your-namespace>/dhi-bash:5
+    command: [ "sh", "-c", "echo 'Hello from DHI in Kubernetes!'" ]
+  imagePullSecrets:
+  - name: <secret name>
+EOF
+```
+
+Get the status of the pod by running:
+
+```
+$ kubectl get -n <kubernetes namespace> pods/dhi-test
+```
+
+You should be getting the following result
+
+```
+NAME       READY   STATUS      RESTARTS     AGE
+dhi-test   0/1     Completed   ...          ...
+```
+
+If instead, the result is the following, there might be an issue with your secret.
+
+```
+NAME       READY   STATUS         RESTARTS   AGE
+dhi-test   0/1     ErrImagePull   0          ...
+```
+
+After a successful test, the test pod can be deleted with the following command:
+
+```
+$ kubectl delete -n <kubernetes namespace> pods/dhi-test
+```
