[英]Kubernetes pull from insecure docker registry
I have stacked in this phase:我在这个阶段堆叠了:
Need to deploy below deployment, but kube.netes cannot pull images, error message: deployment下面需要部署,但是kube.netes无法拉取镜像,报错信息:
Failed to pull image "192.168.1.161:5000/kafka:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://192.168.1.161:5000/v2/ : http: server gave HTTP response to HTTPS client
无法拉取图像“192.168.1.161:5000/kafka:latest”:rpc 错误:code = Unknown desc = 来自守护程序的错误响应:获取https://192.168.1.161:5000/v2/ :http:服务器给出了 HTTP 响应HTTPS 客户
apiVersion: v1
kind: Service
metadata:
name: kafka
labels:
app: kafka
spec:
type: NodePort
ports:
- name: port9094
port: 9094
targetPort: 9094
selector:
app: kafka
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kafka
spec:
replicas: 1
template:
metadata:
labels:
app: kafka
spec:
hostname: kafka
containers:
- name: redis
image: 192.168.1.161:5000/kafka:latest
imagePullPolicy: Always
ports:
- name: port9094
containerPort: 9094
- envFrom:
- configMapRef:
name: env
imagePullSecrets:
- name: regsec
ON Kube.netes cluster I have created secret file "regsec" with this command:在 Kube.netes 集群上,我使用以下命令创建了秘密文件“regsec”:
kubectl create secret docker-registry regsec --docker-server=192.168.1.161 --docker-username=<name from config file> --docker-password=<token value from config file>
cat ~/.docker/config.json
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.0-ce (linux)"
}
cat /etc/docker/daemon.json
{
"insecure-registries":["192.168.1.161:5000"]
}
kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:05:37Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
docker version
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:54 2018
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.06.0-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:07:56 2018
OS/Arch: linux/amd64
Experimental: false
I used minikube
for my Kube.netes cluster.我将
minikube
用于我的 Kube.netes 集群。
When I tried to apply
a Pod with an image from my private docker registry (that is local, without authentication), the Pod didn't run and describe
had a message indicating the repository wasn't reached (paraphrasing).当我尝试使用来自我的私有 docker 注册表(即本地的,没有身份验证)的图像
apply
Pod 时,Pod 没有运行并且describe
有一条消息指示未到达存储库(释义)。
To fix this, I had to configure insecure-registry
for the Docker daemon.要解决此问题,我必须为 Docker 守护程序配置
insecure-registry
。 According to the Docker docs , this can be done in two ways: as a flag passed to the dockerd
command, or by modifying /etc/docker/daemon.json
(on Linux).根据Docker 文档,这可以通过两种方式完成:作为传递给
dockerd
命令的标志,或通过修改/etc/docker/daemon.json
(在 Linux 上)。
However, as I used minikube
to create and configure the cluster and daemon, I instead followed the minikube
docs to set the flag --insecure-registry
.但是,当我使用
minikube
创建和配置集群和守护进程时,我改为按照minikube
文档设置标志--insecure-registry
。 The complete command is:完整的命令是:
minikube start --insecure-registry "DOMAIN_DOCKER_REGISTRY:PORT_DOCKER_REGISTRY"
You need to go to each of your nodes, edit the file /etc/default/docker.json
and add the following in it: 您需要转到每个节点,编辑文件
/etc/default/docker.json
并在其中添加以下内容:
{
“insecure-registries”: ["192.168.1.161:5000"]
}
I have come to this thread over and over again trying to find the correct answer to get rid of certificates issues, without much success.我一遍又一遍地来到这个线程,试图找到解决证书问题的正确答案,但没有成功。
I finally solved the problem by installing the self signed certificate root on the system for all the kube.netes machines.我终于通过在所有 kube.netes 机器的系统上安装自签名证书根解决了这个问题。 That finally fixes the issue.
这最终解决了这个问题。 On Ubuntu, you can import via:
在 Ubuntu 上,您可以通过以下方式导入:
sudo mv internal-ca.cert /usr/local/share/ca-certificates/internal-ca.crt
sudo update-ca-certificates
Keep in mind that if you have a certificate chain, it will require the root certificate, not the immediate certficate.请记住,如果您有证书链,它将需要根证书,而不是直接证书。 You can check if the import worked by running:
您可以通过运行来检查导入是否有效:
openssl s_client -connect <YOUR REGISTRY HERE> -showcerts < /dev/null
You should see something like:你应该看到类似的东西:
CONNECTED(00000005)
as the response.作为回应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.