我为我的复制控制器指定了某个image pull secret,但在下载Docker镜像时似乎没有应用它:
$ ~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf get events
FIRSTSEEN LASTSEEN COUNT NAME KIND SUBOBJECT REASON SOURCE MESSAGE
8h 8s 3074 web-73na4 Pod spec.containers{web} Pulling {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Pulling image "quay.io/aknuds1/realtime-music"
8h 5s 3074 web-73na4 Pod spec.containers{web} Failed {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Failed to pull image "quay.io/aknuds1/realtime-music": image pull failed for quay.io/aknuds1/realtime-music, this may be because there are no credentials on this request. details: (Error: Status 403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission Denied\"}")
下载图像时,如何让复制控制器使用图像拉秘密“quay.io”?复制控制器规范如下所示:
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "web",
"labels": {
"app": "web"
}
},
"spec": {
"replicas": 1,
"selector": {
"app": "web"
},
"template": {
"metadata": {
"labels": {
"app": "web"
}
},
"spec": {
"containers": [
{
"name": "web",
"image": "quay.io/aknuds1/realtime-music",
"ports": [
{
"name": "http-server",
"containerPort": 80
}
]
}
],
"imagePullSecrets": [
{
"name": "quay.io"
}
]
}
}
}
}
我创建了这样的quay.io秘密:~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf create -f /tmp/image-pull-secret.yaml。 /tmp/image-pull-secret.yaml的内容基本上是这样的:
apiVersion: v1
kind: Secret
metadata:
name: quay.io
data:
.dockercfg: <base64 encoded dockercfg>
type: kubernetes.io/dockercfg
kubectl get pods web-73na4 -o yaml的输出,以响应@PaulMorie apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/created-by: |
{"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"web","uid":"e1b7a3f0-e349-11e5-a136-02420a022e02","apiVersion":"v1","resourceVersion":"31503"}}
creationTimestamp: 2016-03-06T03:16:56Z
generateName: web-
labels:
app: web
name: web-73na4
namespace: default
resourceVersion: "31516"
selfLink: /api/v1/namespaces/default/pods/web-73na4
uid: e1b89066-e349-11e5-a136-02420a022e02
spec:
containers:
- image: quay.io/aknuds1/realtime-music
imagePullPolicy: IfNotPresent
name: web
ports:
- containerPort: 80
name: http-server
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-5s7kd
readOnly: true
dnsPolicy: ClusterFirst
nodeName: ip-172-31-29-110.eu-central-1.compute.internal
restartPolicy: Always
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
volumes:
- name: default-token-5s7kd
secret:
secretName: default-token-5s7kd
status:
conditions:
- lastProbeTime: null
lastTransitionTime: null
status: "False"
type: Ready
containerStatuses:
- image: quay.io/aknuds1/realtime-music
imageID: ""
lastState: {}
name: web
ready: false
restartCount: 0
state:
waiting:
message: 'image pull failed for quay.io/aknuds1/realtime-music, this may be
because there are no credentials on this request. details: (Error: Status
403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission
Denied\"}")'
reason: PullImageError
hostIP: 172.31.29.110
phase: Pending
podIP: 10.2.2.3
startTime: 2016-03-06T03:16:56Z
答案 0 :(得分:1)
更新(这就是我使用私有图片所做的):
首先登录quay.io:
$ docker login quay.io
Username (username):
Password:
WARNING: login credentials saved in /Users/user/.docker/config.json
Login Succeeded
然后我创建了一个新文件(my-credentials.json),它只有docker在config.json文件中添加的quay.io凭据(我意识到除了quay.io之外它还有更多的凭据)。 / p>
$ cat config.json
{
"quay.io": {
"auth": "xxxxxxxxxxxxxxxxxxxxx",
"email": "user@example.com"
}
}
之后,我生成了base64:
$ cat ./my-credentials.json | base64
<base64-value>
我创建了秘密资源:
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
data:
.dockercfg: <base64-value>
type: kubernetes.io/dockercfg
$ kubectl create -f image-pull-secret.yaml
最后,我创建了pod:
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "web",
"labels": {
"app": "web"
}
},
"spec": {
"replicas": 1,
"selector": {
"app": "web"
},
"template": {
"metadata": {
"labels": {
"app": "web"
}
},
"spec": {
"containers": [
{
"name": "web",
"image": "quay.io/username/myimage",
"ports": [
{
"name": "http-server",
"containerPort": 80
}
]
}
],
"imagePullSecrets": [
{
"name": "myregistrykey"
}
]
}
}
}
}
$ kubectl create -f pod.yaml
我使用myregistrykey作为imagePullSecrets的名称而不是quay.io,但我不认为问题出在那里。
问题似乎是由于您没有创建secret来保存凭据。
请注意name部分(在您的情况下为#34; quay.io&#34;)中的imagePullSecrets键的值应与您在{{1}中指定的值相同资源。