[英]minikube - x509: certificate signed by unknown authority
我正在使用minikube
和kubectl
为mongo
创建一个RC
。 而且我用的是公司的VPN。
通过kubectl create -f./rc/mongo-rc.yaml
命令创建RC
。
使用kubectl describe pod mongo-5zttk
命令时出现以下 kube.netes 事件:
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7m18s default-scheduler Successfully assigned default/mongo-5zttk to minikube
Normal Pulling 5m42s (x4 over 7m17s) kubelet, minikube Pulling image "mongo"
Warning Failed 5m40s (x4 over 7m15s) kubelet, minikube Failed to pull image "mongo": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/library/mongo/manifests/latest: Get https://auth.docker.io/token?scope=repository%3Alibrary%2Fmongo%3Apull&service=registry.docker.io: x509: certificate signed by unknown authority
Warning Failed 5m40s (x4 over 7m15s) kubelet, minikube Error: ErrImagePull
Normal BackOff 5m29s (x6 over 7m15s) kubelet, minikube Back-off pulling image "mongo"
Warning Failed 2m8s (x21 over 7m15s) kubelet, minikube Error: ImagePullBackOff
当我尝试使用curl
访问 URL 时:
⚡ curl https://registry-1.docker.io/v2/library/mongo/manifests/latest
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/mongo","Action":"pull"}]}]}
我可以成功地从 docker 集线器注册表中提取mongo:latest
图像。
⚡ docker pull mongo:latest
latest: Pulling from library/mongo
Digest: sha256:efc408845bc917d0b7fd97a8590e9c8d3c314f58cee651bd3030c9cf2ce9032d
Status: Image is up to date for mongo:latest
docker.io/library/mongo:latest
环境信息:
我已阅读文档: vpn_and_proxy/#x509-certificate-signed-by-unknown-authority 。 解决办法是向 IT 部门索要相应的 PEM 文件。 获取不到PEM文件有什么解决办法吗? 例如使用一些命令标志: --skip-verify-cert
?
更新:
mongo-rc.yaml
:
apiVersion: v1
kind: ReplicationController
metadata:
name: mongo
spec:
replicas: 1
selector:
app: mongo
template:
metadata:
labels:
app: mongo
spec:
containers:
- name: mongo
image: mongo
ports:
- containerPort: 27017
env:
- name: MONGO_ROOT_PASSWORD
value: "123456"
您应该能够使用--insecure-registry
标志,但您可能必须重新创建 minikube 集群才能使其正常工作。
minikube start --insecure-registry="registry-1.docker.io"
尝试了很多东西,只有一个对我有用:
update-ca-certificates --fresh
openssl s_client -showcerts -verify 5 -connect k8s.gcr.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/k8s.gcr.io.crt
openssl s_client -showcerts -verify 5 -connect registry-1.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/registry-1.docker.io.crt
openssl s_client -showcerts -verify 5 -connect auth.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/auth.docker.io.crt
cp ~/k8s.gcr.io.crt /usr/local/share/ca-certificates/
cp ~/registry-1.docker.io.crt /usr/local/share/ca-certificates/
cp ~/auth.docker.io.crt /usr/local/share/ca-certificates/
update-ca-certificates
# service docker restart
...
case "$1" in
start)
# <add-following-line>
/root/./docker.sh
# </add-following-line>
check_init
fail_unless_root
cgroupfs_mount
..
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.