我有一个GKE集群,它使用AWS ECR repo来提取docker镜像。这些是我遵循的步骤。
使用此命令创建一个秘密
# cat > /tmp/image-pull-secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
data:
.dockerconfigjson: $(aws ecr get-authorization-token --output json | jq -n 'input.authorizationData | {auths: (reduce .[] as $d ({}; . + {($d.proxyEndpoint|sub("https?://";"")): {auth:$d.authorizationToken}}))}' | (base64 -w0 2>/dev/null || base64) )
type: kubernetes.io/dockerconfigjson
EOF
# kubectl apply -f /tmp/image-pull-secret.yaml
创建部署但收到错误
# cat abc_deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: abc-deployment
labels:
app: abc
env: development
spec:
replicas: 3
selector:
matchLabels:
app: abc
env: development
template:
metadata:
labels:
app: abc
env: development
spec:
containers:
- name: abc
image: 34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1
ports:
- containerPort: 8080
imagePullSecrets:
- name: myregistrykey
我收到错误 ++++++++++++++++++
Normal Pulling 1m (x2 over 1m) kubelet, gke-puppy-default-pool-e701eb52-6gdp pulling image "34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1"
Warning Failed 1m (x2 over 1m) kubelet, gke-puppy-default-pool-e701eb52-6gdp Failed to pull image "34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1": rpc error: code = Unknown desc = unauthorized: authentication required
Warning Failed 1m (x2 over 1m) kubelet, gke-puppy-default-pool-e701eb52-6gdp Error: ErrImagePull
Normal BackOff 1m (x6 over 1m) kubelet, gke-puppy-default-pool-e701eb52-6gdp Back-off pulling image "34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1"
Warning Failed 1m (x6 over 1m) kubelet, gke-puppy-default-pool-e701eb52-6gdp Error: ImagePullBackOff
我们如何解决此错误?
答案 0 :(得分:0)
从技术上讲,将docker auth令牌放入imagePullSecret的方法应该可行-这也是Kubernetes documentation on integrating a private registry的建议。
问题是ECR is only valid for 12 hours的docker auth令牌。也许仅在该时间段之后才发生身份验证错误?
您可以做的是创建一个CronJob,该CronJob刷新docker auth令牌并重新创建imagePullSecret(您可以找到有关here,here或{{ 3}})。
也有用于此目的的预制docker镜像,例如here或ecr-kube-helper。