我已经设置了带有自签名证书的私有Docker注册表。
docker run -d -p 443:5000 --restart=always --name registry -v `pwd`/auth:/auth
-e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/domain.key
domain.crt和domain.key是使用OpenSSL生成的。
要从远程主机连接,
cp domain.crt /etc/pki/ca-trust/source/anchors/mydockerregistry.com.crt
update-ca-trust
systemctl daemon-reload
systemctl restart docker
此后,便可以从远程主机登录
docker login mydockerregistry.com --username=test
password: test
我能够将映像推/拉到此注册表,并且成功。
类似地,我试图在Kubernetes集群中部署该映像。我用用户名和密码在注册表中创建了一个秘密。
kubectl create secret docker-registry my-registry --docker-server=mydockerregistry.com --docker-username=test --docker-password=test --docker-email=abc.com
此外,我在工作程序节点中的Docker注册表步骤中完成了自签名证书,
cp domain.crt /etc/pki/ca-trust/source/anchors/mydockerregistry.com.crt
update-ca-trust
systemctl daemon-reload
systemctl restart docker
给出deployment.yaml文件的imagePullSecrets中的名称。我正在尝试在Kubernetes集群(Calico Network)中创建一个POD,但是它无法提取图像。
deployment.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: test-image
labels:
app: test-image
chart: test-image
spec:
containers:
- name: {{ .Chart.Name }}
image: "mydockerregistry.com/test-image:latest"
imagePullPolicy: Always
imagePullSecrets:
- name: my-registry
警告失败45秒(x2超过59秒)kubelet, kube-worker-02 无法提取图像 “ mydockerregistry.com/test-image:latest”:RPC错误:代码=未知 desc =未经授权:需要验证
警告失败
45秒(x2超过59秒)kubelet,kube-worker-02 错误:ErrImagePull
我检查了Docker注册表日志
time =“ 2020-01-13T14:58:05.269921112Z”“ level = error msg =” error 正在验证用户“”:验证失败” go.version = go1.11.2 http.request.host = mydockerregistry.com http.request.id = 02fcccff-9a30-443c-8a00-48bcacb90e99 http.request.method =获取http.request.remoteaddr =“ 10.76.112.148:35454” http.request.uri =“ / v2 / test-image / manifests / latest” http.request.useragent =“ docker / 1.13.1 go / go1.10.8 内核/3.10.0-957.21.3.el7.x86_64 os / linux arch / amd64 UpstreamClient(Go-http-client / 1.1)“ vars.name = test-image vars.reference =最新
time =“ 2020-01-13T14:58:05.269987492Z” level = warning msg =“ error 授权上下文:领域的基本认证挑战 “注册表域”:身份验证失败” go.version = go1.11.2 http.request.host = mydockerregistry.com http.request.id = 02fcccff-9a30-443c-8a00-48bcacb90e99 http.request.method =获取http.request.remoteaddr =“ 10.76.112.148:35454” http.request.uri =“ / v2 / ca-config-calc / manifests / latest” http.request.useragent =“ docker / 1.13.1 go / go1.10.8 内核/3.10.0-957.21.3.el7.x86_64 os / linux arch / amd64 UpstreamClient(Go-http-client / 1.1)“ vars.name = test-image vars.reference =最新
我能够通过docker登录myregistrydomain并从工作节点中提取图像
配置中缺少任何内容吗?
答案 0 :(得分:0)
您在create secret命令中的注册表名称中有错字。
kubectl create secret docker-registry my-registry --docker-server=myregistryregistry.com --docker-username=test --docker-password=test --docker-email=abc.com
将myregistryregistry.com
更改为mydockerregistry.com
。
答案 1 :(得分:0)
我已经能够使用this link成功地将图像从安全的私有Docker注册表提取到kubernetes中。