无法提取图像,出现“x509:由未知机构签名的证书”错误
[英]Failed to pull image with "x509: certificate signed by unknown authority" error
问题描述
I am using k3s kubernetes, and Harbor as a private container registry.
我正在使用 k3s kubernetes 和 Harbor 作为私有容器注册表。 I use a self-sign cert in Harbor.我在 Harbor 使用自签名证书。 And I have a sample image in Harbor, which I want to create a sample pod in Kubernetes using this private Harbor image.我在 Harbor 中有一个示例映像,我想使用这个私有 Harbor 映像在 Kubernetes 中创建一个示例 pod。
I created a file call testPod.yml with the following content to create the pod:我创建了一个名为 testPod.yml 的文件,其中包含以下内容来创建 pod:
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- name: test
image: harbor-server/t_project/test:001
imagePullSecrets:
- name: testcred
However, there is an error after I applied this yml file, x509: certificate signed by unknow authority, which is shown below:但是我应用这个yml文件后出现错误,x509: certificate signed by unknow authority,如下图:
Name: test
Namespace: default
Priority: 0
Node: server/10.1.0.11
Start Time: Thu, 07 Jul 2022 15:20:32 +0800
Labels: <none>
Annotations: <none>
Status: Pending
IP: 10.42.2.164
IPs:
IP: 10.42.2.164
Containers:
test:
Container ID:
Image: harbor-server/t_project/test:001
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-47cgb (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-47cgb:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 19s default-scheduler Successfully assigned default/test to server
Normal BackOff 19s kubelet Back-off pulling image "harbor-server/t_project/test:001"
Warning Failed 19s kubelet Error: ImagePullBackOff
Normal Pulling 4s (x2 over 19s) kubelet Pulling image "harbor-server/t_project/test:001"
Warning Failed 4s (x2 over 19s) kubelet Failed to pull image "harbor-server/t_project/test:001": rpc error: code = Unknown desc = failed to pull and unpack image "harbor-server/t_project/test:001": failed to resolve reference "harbor-server/t_project/test:001": failed to do request: Head "https://harbor-server:443/v2/t_project/test/manifests/001?ns=harbor-server": x509: certificate signed by unknown authority
Warning Failed 4s (x2 over 19s) kubelet Error: ErrImagePull
How to solve this x509 error?如何解决这个 x509 错误? Is there any step that I have missed?有没有我错过的步骤?
1 个解决方案
解决方案1
1 已采纳 2022-07-08 07:08:59
The CA's certificate needs to be trusted first.首先需要信任 CA 的证书。
Put the CA into the host system's trusted CA's chain.将 CA 放入主机系统的可信 CA 链中。 Run the following command.运行以下命令。
sudo mkdir -p /usr/local/share/ca-certificates/myregistry
sudo cp registry/myca.pem /usr/local/share/ca-certificates/myregistry/myca.crt
sudo update-ca-certificates
Notice, the cert on the specific directory have to be named with crt extension.请注意,特定目录上的证书必须以crt扩展名命名。 restart the K3s service to let the change in effect.重新启动 K3s 服务以使更改生效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.