Kube.netes 从不安全的 docker 注册表中拉取
[英]Kubernetes pull from insecure docker registry
问题描述
I have stacked in this phase:
我在这个阶段堆叠了:
- Have local docker insecure registry and some images in it, eg 192.168.1.161:5000/kafka:latest有本地 docker 不安全注册表和一些图像,例如 192.168.1.161:5000/kafka:latest
- Have kube.netes cloud cluster, for which I can access only via ~/.kube/config file, e,g.有 kube.netes 云集群,我只能通过 ~/.kube/config 文件访问,例如token.令牌。
Need to deploy below deployment, but kube.netes cannot pull images, error message: deployment下面需要部署,但是kube.netes无法拉取镜像,报错信息:
Failed to pull image "192.168.1.161:5000/kafka:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://192.168.1.161:5000/v2/ : http: server gave HTTP response to HTTPS client
apiVersion: v1
kind: Service
metadata:
name: kafka
labels:
app: kafka
spec:
type: NodePort
ports:
- name: port9094
port: 9094
targetPort: 9094
selector:
app: kafka
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kafka
spec:
replicas: 1
template:
metadata:
labels:
app: kafka
spec:
hostname: kafka
containers:
- name: redis
image: 192.168.1.161:5000/kafka:latest
imagePullPolicy: Always
ports:
- name: port9094
containerPort: 9094
- envFrom:
- configMapRef:
name: env
imagePullSecrets:
- name: regsec
ON Kube.netes cluster I have created secret file "regsec" with this command:在 Kube.netes 集群上,我使用以下命令创建了秘密文件“regsec”:
kubectl create secret docker-registry regsec --docker-server=192.168.1.161 --docker-username=<name from config file> --docker-password=<token value from config file>
cat ~/.docker/config.json
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.0-ce (linux)"
}
cat /etc/docker/daemon.json
{
"insecure-registries":["192.168.1.161:5000"]
}
kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:05:37Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
docker version
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:54 2018
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.06.0-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:07:56 2018
OS/Arch: linux/amd64
Experimental: false
3 个解决方案
解决方案1
3 2022-03-16 16:43:26
I used minikube for my Kube.netes cluster.我将minikube用于我的 Kube.netes 集群。
When I tried to apply a Pod with an image from my private docker registry (that is local, without authentication), the Pod didn't run and describe had a message indicating the repository wasn't reached (paraphrasing).当我尝试使用来自我的私有 docker 注册表(即本地的,没有身份验证)的图像apply Pod 时,Pod 没有运行并且describe有一条消息指示未到达存储库(释义)。
To fix this, I had to configure insecure-registry for the Docker daemon.要解决此问题,我必须为 Docker 守护程序配置insecure-registry 。 According to the Docker docs , this can be done in two ways: as a flag passed to the dockerd command, or by modifying /etc/docker/daemon.json (on Linux).根据Docker 文档,这可以通过两种方式完成:作为传递给dockerd命令的标志,或通过修改/etc/docker/daemon.json (在 Linux 上)。
However, as I used minikube to create and configure the cluster and daemon, I instead followed the minikube docs to set the flag --insecure-registry .但是,当我使用minikube创建和配置集群和守护进程时,我改为按照minikube文档设置标志--insecure-registry 。 The complete command is:完整的命令是:
minikube start --insecure-registry "DOMAIN_DOCKER_REGISTRY:PORT_DOCKER_REGISTRY"
解决方案2
2 已采纳 2018-08-17 10:32:53
You need to go to each of your nodes, edit the file /etc/default/docker.json and add the following in it: 您需要转到每个节点,编辑文件/etc/default/docker.json并在其中添加以下内容:
{
“insecure-registries”: ["192.168.1.161:5000"]
}
解决方案3
0 2023-01-16 10:22:02
I have come to this thread over and over again trying to find the correct answer to get rid of certificates issues, without much success.我一遍又一遍地来到这个线程,试图找到解决证书问题的正确答案,但没有成功。
I finally solved the problem by installing the self signed certificate root on the system for all the kube.netes machines.我终于通过在所有 kube.netes 机器的系统上安装自签名证书根解决了这个问题。 That finally fixes the issue.这最终解决了这个问题。 On Ubuntu, you can import via:在 Ubuntu 上,您可以通过以下方式导入:
sudo mv internal-ca.cert /usr/local/share/ca-certificates/internal-ca.crt
sudo update-ca-certificates
Keep in mind that if you have a certificate chain, it will require the root certificate, not the immediate certficate.请记住,如果您有证书链,它将需要根证书,而不是直接证书。 You can check if the import worked by running:您可以通过运行来检查导入是否有效:
openssl s_client -connect <YOUR REGISTRY HERE> -showcerts < /dev/null
You should see something like:你应该看到类似的东西:
CONNECTED(00000005)
as the response.作为回应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.