How to pass image pull secret while using 'kubectl run' command?

You can use the overrides if you specify it right, it's an array in the end, that took me a bit to figure out, the below works on Kubernetes of at least 1.6:

--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'

for example

kubectl run -i -t hello-world --rm --generator=run-pod/v1 \
--image=eu.gcr.io/your-registry/hello-world \
--image-pull-policy="IfNotPresent" \
--overrides='{ "spec": { "template": { "spec": { "imagePullSecrets": [{"name": "your-registry-secret"}] } } } }'

You could create the docker-registry secret as described at @MarkO'Connor's link, then add it to the default ServiceAccount. It's the SA that acts on the behalf of pods, including pulling their images.

From Adding ImagePullSecrets to a service account:

$ kubectl create secret docker-registry myregistrykey --docker-username=janedoe --docker-password=●●●●●●●●●●● [email protected]
secret "myregistrykey" created

$ kubectl get serviceaccounts default -o yaml > ./sa.yaml

$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  resourceVersion: "243024"
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge

$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "imagePullSecret:"]

$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: default-token-uudge
imagePullSecrets:
- name: myregistrykey

$ kubectl replace serviceaccount default -f ./sa.yaml

Now, any new pods created in the current namespace will have this added to their spec:

spec:
  imagePullSecrets:
  - name: myregistrykey