[英]x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error") in Kubernetes
I have already deployed a local registry which listens on 192.168.xx.xx:5000
.我已经部署了一个监听
192.168.xx.xx:5000
的本地注册表。
In /etc/hosts
I have added:在
/etc/hosts
我添加了:
192.168.xx.xx my.local.registry
and using sudo vim /etc/docker/daemon.json
I have added:并使用
sudo vim /etc/docker/daemon.json
我添加了:
{ "insecure-registries":["my.local.registry:5000"] }
{ “不安全注册表”:[“my.local.registry:5000”] }
Then I pushed an image on it using:然后我使用以下方法在其上推送图像:
sudo docker tag hello-world my.local.registry:5000/hello-world
sudo docker push my.local.registry:5000/hello-world
Everything works as excpected.一切都按预期工作。 In
https://my.local.registry:5000/v2/_catalog
I am able to see the pushed image:在
https://my.local.registry:5000/v2/_catalog
,我可以看到推送的图像:
{"repositories":["hello-world"]}
{“存储库”:[“你好世界”]}
In the next step, I wanted to create a pod, thus a Deployment which will be able to download the image from my local registry.在下一步中,我想创建一个 pod,从而创建一个 Deployment,它将能够从我的本地注册表下载图像。 Example:
例子:
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry-test
labels:
app: registry-test
spec:
replicas: 1
selector:
matchLabels:
app: registry-test
template:
metadata:
labels:
app: registry-test
spec:
containers:
- name: registry-test
image: my.local.registry:5000/hello-world
I have generated my own certificate using:我使用以下方法生成了自己的证书:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ./certs/tls.key -x509 -days 365 -subj "/C=GR/ST=./L=./O=./CN=my.local.registry" -addext "subjectAltName = DNS:my.local.registry" -out ./certs/tls.crt
and then I created a folder sudo mkdir -p /etc/docker/certs.d/my.local.registry:5000
where I put the newly created certificate using sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt
然后我创建了一个文件夹
sudo mkdir -p /etc/docker/certs.d/my.local.registry:5000
我使用sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt
放置了新创建的证书sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt
Then I added sudo cp certs/tls.crt /usr/local/share/ca-certificates/ca.crt
and finally I executed:然后我添加了
sudo cp certs/tls.crt /usr/local/share/ca-certificates/ca.crt
最后我执行了:
sudo update-ca-certificates
sudo service docker restart
sudo systemctl restart containerd
However, when I apply the Deployment with kubectl apply -f mytestDeployment.yaml
I get但是,当我使用
kubectl apply -f mytestDeployment.yaml
应用 Deployment 时,我得到
Failed to pull image "my.local.registry:5000:5000/hello-world": rpc error: code = Unknown desc = failed to pull and unpack image "my.local.registry:5000:5000/hello-world:latest": failed to resolve reference "my.local.registry:5000:5000/hello-world:latest": failed to do request: Head "https://my.local.registry:5000:5000/v2/hello-world/manifests/latest": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "my.local.registry:5000")
拉取图像“my.local.registry:5000:5000/hello-world”失败:rpc 错误:code = Unknown desc = 拉取和解压图像“my.local.registry:5000:5000/hello-world:latest”失败“:无法解析引用“my.local.registry:5000:5000/hello-world:latest”:无法执行请求:Head“https://my.local.registry:5000:5000/v2/hello-world /manifests/latest": x509: 由未知权威机构签署的证书(可能是因为在尝试验证候选权威机构证书“my.local.registry:5000”时出现“crypto/rsa: verification error”)
There are plenty of answers in SO regarding this matter, however I am not able to fix this.关于这个问题,SO 中有很多答案,但我无法解决这个问题。 Does anyone know what am I missing here?
有谁知道我在这里错过了什么?
UPDATE更新
I am also using a DeamonSet:我也在使用 DeamonSet:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: registry-ca
namespace: ches
labels:
k8s-app: registry-ca
spec:
selector:
matchLabels:
name: registry-ca
template:
metadata:
labels:
name: registry-ca
spec:
containers:
- name: registry-ca-docker
image: busybox
command: [ 'sh' ]
args: [ '-c', 'mkdir /etc/docker/certs.d/my.local.registry:5000 && cp /home/core/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt && exec tail -f /dev/null' ]
volumeMounts:
- name: etc-docker
mountPath: /etc/docker/certs.d
- name: ca-cert
mountPath: /home/core
- name: registry-ca-containerd
image: busybox
command: [ 'sh' ]
args: [ '-c', 'cat /home/core/tls.crt > /home/core-containerd/ca.crt && exec tail -f /dev/null']
volumeMounts:
- name: ca-cert
mountPath: /home/core
- name: etc-containerd
mountPath: /home/core-containerd
terminationGracePeriodSeconds: 30
volumes:
- name: etc-docker
hostPath:
path: /etc/docker/certs.d
- name: ca-cert
secret:
secretName: ches-registry-secret
- name: etc-containerd
hostPath:
path: /usr/local/share/ca-certificates
However the error persists.但是错误仍然存在。
Actually you did everything right setting up your private registry.实际上,您在设置私有注册表时所做的一切都是正确的。 However Kube.netes doesn't allow pulling images from insecure private registries (yes, a self-signed certificate is still considered "insecure").
然而,Kube.netes 不允许从不安全的私有注册表中提取镜像(是的,自签名证书仍然被认为是“不安全的”)。
I'm afraid you have to tell every Kube.netes node that your my.local.registry
is either an insecure registry or place the certificate file in every node (as described in the second link of Priyanka's answer).恐怕你必须告诉每个 Kube.netes 节点你的
my.local.registry
是一个不安全的注册表或者将证书文件放在每个节点中(如 Priyanka 答案的第二个链接中所述)。
A different option might be to create a certificate using letsencrypt, so it's signed by a known certificate authority, thus being "secure".一个不同的选择可能是使用 letsencrypt 创建一个证书,因此它由一个已知的证书颁发机构签名,因此是“安全的”。 But that limits the use of custom domain names.
但这限制了自定义域名的使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.