使用私人注册表时,kubernetes是否需要访问互联网?

时间:2017-01-23 16:20:00

标签: security networking kubernetes firewall

我对kubernetes和网络防火墙规则有疑问。我想用防火墙规则保护我的kubernetes集群,并想知道工人/主人是否需要上网?我打算使用位于我的网络上的私人注册表,但是当工作人员无法访问互联网时,我遇到了问题。这是一个例子

Name:           foo
Namespace:      default
Node:           worker003/192.168.30.1
Start Time:     Mon, 23 Jan 2017 10:33:07 -0500
Labels:         <none>
Status:         Pending
IP:
Controllers:    <none>
Containers:
  foo:
    Container ID:
    Image:              registry.company.org/wop_java/app:nginx
    Image ID:
    Port:
    State:              Waiting
      Reason:           ContainerCreating
    Ready:              False
    Restart Count:      0
    Volume Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-3cg0w (ro)
    Environment Variables:      <none>
Conditions:
  Type          Status
  Initialized   True
  Ready         False
  PodScheduled  True
Volumes:
  default-token-3cg0w:
    Type:       Secret (a volume populated by a Secret)
    SecretName: default-token-3cg0w
QoS Class:      BestEffort
Tolerations:    <none>
Events:
  FirstSeen     LastSeen        Count   From                            SubObjectPath   Type        Reason              Message
  ---------     --------        -----   ----                            -------------   --------    ------              -------
  5m            5m              1       {default-scheduler }                            Normal      Scheduled   Successfully assigned foo to worker003
  4m            1m              4       {kubelet worker003}                     Warning     FailedSync  Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for gcr.io/google_containers/pause-amd64:3.0, this may be because there are no credentials on this request.  details: (Error response from daemon: {\"message\":\"Get https://gcr.io/v1/_ping: dial tcp 74.125.192.82:443: i/o timeout\"})"

  3m    3s      9       {kubelet worker003}             Warning FailedSync      Error syncing pod, skipping: failed to "StartContainer" for "POD" with ImagePullBackOff: "Back-off pulling image \"gcr.io/google_containers/pause-amd64:3.0\""

我的问题是,kubernetes是否需要上网才能工作?如果是,它在哪里正式记录?

3 个答案:

答案 0 :(得分:0)

当私有存储库提供所有必需的容器和组件时,Kubernetes不需要任何Internet访问即可正常运行。一个很好的起点是Bare Metal offline provisioning指南。

答案 1 :(得分:0)

您需要将参数--pod-infra-container-image传递给 kubelet ,如下所示:https://kubernetes.io/docs/admin/kubelet/。 它默认为gcr.io/google_containers/pause-amd64:3.0,由于gcr.io不可用,因此未能成功拉动您的计算机。

您可以轻松地将暂停图像传输到私人注册表

docker pull gcr.io/google_containers/pause-amd64:3.0
docker tag gcr.io/google_containers/pause-amd64:3.0 REGISTRY.PRIVATE/google_containers/pause-amd64:3.0
docker push REGISTRY.PRIVATE/google_containers/pause-amd64:3.0

# and pass
kubelet --pod-infra-container-image=REGISTRY.PRIVATE/google_containers/pause-amd64:3.0 ...

暂停是在容器之前创建的容器,以便在重新启动时分配和保留网络和ipc命名空间。

答案 2 :(得分:0)

他们不需要访问Internet,但您无法访问您指定的私人注册表。你看过https://kubernetes.io/docs/user-guide/images/它有一些很好的选择,如何访问私人注册表。 https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/也有一些细节。我们做指定的imagePullSecrets,它工作正常

相关问题
最新问题