ImagePullBackOff未经授权：需要身份验证

Question

我已经完成所有动作，并且遇到了一个普遍的问题。不幸的是，我在github和SO上尝试过的所有解决方案都没有起作用。这是错误：

RTE.classesAnchor.myown-link {
  class = myown-link
  type = page
  titleText = My Own Link
  altText = My Own Link
  }

RTE.default.buttons.link.properties.class.allowedClasses := addToList(myown-link)
RTE.default.proc.allowedClasses := addToList(myown-link)

-创建了服务主体

Warning  Failed     4m (x4 over 5m)    kubelet, aks-agentpool-97052351-0  Failed to pull image "ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi": [rpc error: code = Unknown desc = Error response from daemon: Get https://ussmicroserviceregistry.azurecr.io/v2/simpledotnetapi_simpledotnetapi/manifests/latest: unauthorized: authentication required, rpc error: code = Unknown desc = Error response from daemon: Get https://ussmicroserviceregistry.azurecr.io/v2/simpledotnetapi_simpledotnetapi/manifests/latest: unauthorized: authentication required, rpc error: code = Unknown desc = Error response from daemon: Get https://ussmicroserviceregistry.azurecr.io/v2/simpledotnetapi_simpledotnetapi/manifests/latest: unauthorized: authentication required]

-为Kube创造了秘密

az ad sp create-for-rbac 
  --scopes /subscriptions/11870e73-bdb2-47b0-bf27-25d24c41ae24/resourcegroups/USS-MicroService-Test/providers/Microsoft.ContainerRegistry/registries/UssMicroServiceRegistry
  --role Reader 
  --name kimage-reader

-kubectl create secret docker-registry kimagereadersecret --docker-server ussmicroserviceregistry.azurecr.io --docker-email coreyp@united-systems.com --docker-username=kimage-reader --docker-password 4b37b896-a04e-48b4-a950-5f1abdd3e7aa

kubectl.exe describe pod simpledotnetapi-deployment-6fbf97df55-2hg2m

-Name: simpledotnetapi-deployment-6fbf97df55-2hg2m Namespace: default Priority: 0 PriorityClassName: <none> Node: aks-agentpool-97052351-0/10.240.0.4 Start Time: Mon, 17 Jun 2019 15:22:30 -0500 Labels: app=simpledotnetapi-pod pod-template-hash=6fbf97df55 Annotations: <none> Status: Pending IP: 10.240.0.26 Controlled By: ReplicaSet/simpledotnetapi-deployment-6fbf97df55 Containers: simpledotnetapi-simpledotnetapi: Container ID: Image: ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi Image ID: Port: 5000/TCP Host Port: 0/TCP State: Waiting Reason: ImagePullBackOff Ready: False Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-hj9b5 (ro) Conditions: Type Status Initialized True Ready False ContainersReady False PodScheduled True Volumes: default-token-hj9b5: Type: Secret (a volume populated by a Secret) SecretName: default-token-hj9b5 Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 5m default-scheduler Successfully assigned default/simpledotnetapi-deployment-6fbf97df55-2hg2m to aks-agentpool-97052351-0 Normal BackOff 4m (x6 over 5m) kubelet, aks-agentpool-97052351-0 Back-off pulling image "ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi" Normal Pulling 4m (x4 over 5m) kubelet, aks-agentpool-97052351-0 pulling image "ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi" Warning Failed 4m (x4 over 5m) kubelet, aks-agentpool-97052351-0 Failed to pull image "ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi": [rpc error: code = Unknown desc = Error response from daemon: Get https://ussmicroserviceregistry.azurecr.io/v2/simpledotnetapi_simpledotnetapi/manifests/latest: unauthorized: authentication required, rpc error: code = Unknown desc = Error response from daemon: Get https://ussmicroserviceregistry.azurecr.io/v2/simpledotnetapi_simpledotnetapi/manifests/latest: unauthorized: authentication required, rpc error: code = Unknown desc = Error response from daemon: Get https://ussmicroserviceregistry.azurecr.io/v2/simpledotnetapi_simpledotnetapi/manifests/latest: unauthorized: authentication required] Warning Failed 4m (x4 over 5m) kubelet, aks-agentpool-97052351-0 Error: ErrImagePull Warning Failed 24s (x22 over 5m) kubelet, aks-agentpool-97052351-0 Error: ImagePullBackOff

kubectl.exe get pod simpledotnetapi-deployment-6fbf97df55-2hg2m -o yaml

-yaml配置文件

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: 2019-06-17T20:22:30Z
  generateName: simpledotnetapi-deployment-6fbf97df55-
  labels:
    app: simpledotnetapi-pod
    pod-template-hash: 6fbf97df55
  name: simpledotnetapi-deployment-6fbf97df55-2hg2m
  namespace: default
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: simpledotnetapi-deployment-6fbf97df55
    uid: a99e4ac8-8ec3-11e9-9bf8-86d46846735e
  resourceVersion: "813190"
  selfLink: /api/v1/namespaces/default/pods/simpledotnetapi-deployment-6fbf97df55-2hg2m
  uid: a1c220a2-913d-11e9-801a-c6aef815c06a
spec:
  containers:
  - image: ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi
    imagePullPolicy: Always
    name: simpledotnetapi-simpledotnetapi
    ports:
    - containerPort: 5000
      protocol: TCP
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-hj9b5
      readOnly: true
  dnsPolicy: ClusterFirst
  imagePullSecrets:
  - name: kimagereadersecret
  nodeName: aks-agentpool-97052351-0
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: default-token-hj9b5
    secret:
      defaultMode: 420
      secretName: default-token-hj9b5
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: 2019-06-17T20:22:30Z
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: 2019-06-17T20:22:30Z
    message: 'containers with unready status: [simpledotnetapi_simpledotnetapi]'
    reason: ContainersNotReady
    status: "False"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: 2019-06-17T20:22:30Z
    message: 'containers with unready status: [simpledotnetapi_simpledotnetapi]'
    reason: ContainersNotReady
    status: "False"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: 2019-06-17T20:22:30Z
    status: "True"
    type: PodScheduled
  containerStatuses:
  - image: ussmicroserviceregistry.azurecr.io/simpledotnetapi_simpledotnetapi
    imageID: ""
    lastState: {}
    name: simpledotnetapi-simpledotnetapi
    ready: false
    restartCount: 0
    state:
      waiting:
        message: Back-off pulling image "ussmicroserviceregistry.azurecr.io/simpledotnetapi-simpledotnetapi"
        reason: ImagePullBackOff
  hostIP: 10.240.0.4
  phase: Pending
  podIP: 10.240.0.26
  qosClass: BestEffort
  startTime: 2019-06-17T20:22:30Z

-kubectl的输出获取秘密kimagereadersecret

apiVersion: apps/v1
kind: Deployment
metadata:
    name: simpledotnetapi-deployment
spec:
    replicas: 3
    selector:
        matchLabels:
            app: simpledotnetapi-pod
    template:
        metadata:
            labels:
                app: simpledotnetapi-pod
        spec:
            imagePullSecrets:
              - name: kimagereadersecret
            containers:
              - name: simpledotnetapi_simpledotnetapi
                image: ussmicroserviceregistry.azurecr.io/simpledotnetapi-simpledotnetapi
                ports:
                  - containerPort: 5000
---
apiVersion: v1
kind: Service
metadata:
    name: simpledotnetapi-service
spec:
    type: LoadBalancer
    ports:
    - port: 80
    selector:
       app: simpledotnetapi
       type: front-end

-来自Kube仪表板的凭据/秘密

NAME                 TYPE                             DATA      AGE
kimagereadersecret   kubernetes.io/dockerconfigjson   1         1h

-从Kube仪表板完全转储

{
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "kimagereadersecret",
    "namespace": "default",
    "selfLink": "/api/v1/namespaces/default/secrets/kimagereadersecret",
    "uid": "86006aff-9156-11e9-801a-c6aef815c06a",
    "resourceVersion": "830006",
    "creationTimestamp": "2019-06-17T23:20:41Z"
  },
  "data": {
    ".dockerconfigjson": "eyJhdXRocyI6eyJ1c3NtaWNyb3NlcnZpY2VyZWdpc3RyeS5henVyZWNyLmlvIjp7InVzZXJuYW1lIjoiMzNjYjBjZTQtOTVmMC00NGJkLWJiYmYtNTZkNTA2ZmY0ZWIzIiwicGFzc3dvcmQiOiI0YjM3Yjg5Ni1hMDRlLTQ4YjQtYTk1MC01ZjFhYmRkM2U3YWEiLCJlbWFpbCI6ImNvcmV5cEB1bml0ZWQtc3lzdGVtcy5jb20iLCJhdXRoIjoiTXpOallqQmpaVFF0T1RWbU1DMDBOR0prTFdKaVltWXROVFprTlRBMlptWTBaV0l6T2pSaU16ZGlPRGsyTFdFd05HVXRORGhpTkMxaE9UVXdMVFZtTVdGaVpHUXpaVGRoWVE9PSJ9fX0="
  },
  "type": "kubernetes.io/dockerconfigjson"
}

整个项目位于GitHub @ https://github.com/coreyperkins/KubeSimpleDotNetApi

-ACR屏幕截图

-Kube中的Pod失败

Answer 1

我很确定您没有给它足够的权限：

az ad sp create-for-rbac 
  --scopes /subscriptions/11870e73-bdb2-47b0-bf27-25d24c41ae24/resourcegroups/USS-MicroService-Test/providers/Microsoft.ContainerRegistry/registries/UssMicroServiceRegistry
  --role Reader 
  --name kimage-reader

角色应该是acrpull，而不是读者。并删除以下秘密：`kimagereadersecret 1并在窗格中对其进行引用。 kubernetes会为您处理。

Answer 2

看起来您可能在Kubernetes集群中缺少kimagereadersecret。据我了解，az ad sp create-for-rbac只是创建对Azure资源的访问，但是k8s如何知道要使用哪些凭据从注册表中提取？您可以按照this创建注册表密码。您可以使用以下方法检查其是否存在：

$ kubectl get secret kimagereadersecret

在您的情况下，可能是默认情况下不使用任何凭据，或者使用您为Docker配置的无法访问ussmicroserviceregistry.azurecr.io/simpledotnetapi-simpledotnetapi

的任何内容

Answer 3

对于您的问题，也许这只是您的错误。您所做的所有事情都可以。仅在部署中，您需要使用以下标签更改映像：

image: ussmicroserviceregistry.azurecr.io/simpledotnetapi-simpledotnetapi:tag

将标签设置为与在ACR中设置的相同。这样就可以了。如果未设置标签，则它将使用默认标签latest，并且可能不正确。