stackoom
  简体   繁体   中英

Kubernetes pull from insecure docker registry

 原文  2018-08-17 10:12:02       docker/ kubernetes/ docker-registry

Question

I have stacked in this phase:

  1. Have local docker insecure registry and some images in it, eg 192.168.1.161:5000/kafka:latest
  2. Have kube.netes cloud cluster, for which I can access only via ~/.kube/config file, e,g.token.

Need to deploy below deployment, but kube.netes cannot pull images, error message:

Failed to pull image "192.168.1.161:5000/kafka:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://192.168.1.161:5000/v2/ : http: server gave HTTP response to HTTPS client

apiVersion: v1
kind: Service
metadata:
  name: kafka
  labels:
    app: kafka
spec:
  type: NodePort
  ports:
  - name: port9094
    port: 9094
    targetPort: 9094
  selector:
    app: kafka
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kafka
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kafka
    spec:
      hostname: kafka
      containers:
      - name: redis
        image: 192.168.1.161:5000/kafka:latest
        imagePullPolicy: Always

      ports:
      - name: port9094
        containerPort: 9094
      - envFrom:
        - configMapRef:
            name: env

  imagePullSecrets:
  - name: regsec

ON Kube.netes cluster I have created secret file "regsec" with this command:

kubectl create secret docker-registry regsec  --docker-server=192.168.1.161 --docker-username=<name from config file> --docker-password=<token value from config file>

cat ~/.docker/config.json
{
        "auths": {},
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.06.0-ce (linux)"
        }

cat /etc/docker/daemon.json
{
      "insecure-registries":["192.168.1.161:5000"]
}

kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:05:37Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}


    docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:09:54 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:07:56 2018
  OS/Arch:          linux/amd64
  Experimental:     false

3 answers

solution1
 3  2022-03-16 16:43:26

I used minikube for my Kube.netes cluster.

When I tried to apply a Pod with an image from my private docker registry (that is local, without authentication), the Pod didn't run and describe had a message indicating the repository wasn't reached (paraphrasing).

To fix this, I had to configure insecure-registry for the Docker daemon. According to the Docker docs , this can be done in two ways: as a flag passed to the dockerd command, or by modifying /etc/docker/daemon.json (on Linux).

However, as I used minikube to create and configure the cluster and daemon, I instead followed the minikube docs to set the flag --insecure-registry . The complete command is:

minikube start --insecure-registry "DOMAIN_DOCKER_REGISTRY:PORT_DOCKER_REGISTRY"

solution2
 2 ACCPTED  2018-08-17 10:32:53

You need to go to each of your nodes, edit the file /etc/default/docker.json and add the following in it: 

{
    “insecure-registries”: ["192.168.1.161:5000"]
}

solution3
 0  2023-01-16 10:22:02

I have come to this thread over and over again trying to find the correct answer to get rid of certificates issues, without much success.

I finally solved the problem by installing the self signed certificate root on the system for all the kube.netes machines. That finally fixes the issue. On Ubuntu, you can import via:

sudo mv internal-ca.cert /usr/local/share/ca-certificates/internal-ca.crt
sudo update-ca-certificates

Keep in mind that if you have a certificate chain, it will require the root certificate, not the immediate certficate. You can check if the import worked by running:

openssl s_client -connect <YOUR REGISTRY HERE> -showcerts < /dev/null

You should see something like:

CONNECTED(00000005)

as the response.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Have docker pull images from an insecure registry inside kubernetes How to pull docker image from a insecure private registry with latest Kubernetes Kubernetes pull image from private insecure registry fails docker pull/push not working with insecure registry Kubernetes cannot pull from insecure registry ans cannot run container from local image on offline cluster Cannot get local Kubernetes (minikube) to pull from local Docker registry Unable to pull docker image from local registry for Kubernetes deployment kubernetes can't pull image from private docker registry kubernetes is unable pull image from docker private registry Kubernetes doesn't pull from private Docker Registry
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM