gitlab 秘密的私人 docker 注冊表在 kube.netes 中不起作用

Question

我正在嘗試為我的 kube.netes 容器鏡像設置一個 gitlab 私有注冊表。

我已經在下面刪除了不相關的代碼。

我的副本集定義為：

kind: ReplicaSet
...
    spec:
      containers:
      - name: redacted
        image: registry.gitlab.com/redacted/redacted/redacted:latest
        ports:
        - containerPort: 8080
        volumeMounts:
        - name: redacted-data
          mountPath: /var/www/html
      imagePullSecrets:
      - name: github-auth
...

我正在使用以下 kubectl 命令設置我的秘密：

kubectl create -n redacted secret docker-registry gitlab-auth \
--docker-server="registry.gitlab.com:5000" \
--docker-username="redacted" \
--docker-password="redacted" \
--docker-email="redacted" \
--namespace="redacted"

這是失敗的容器 output：

Name:             redacted-cgbrk
...
Containers:
  redacted:
    Container ID:   
    Image:          registry.gitlab.com/redacted/redacted/redacted:latest
    Image ID:       
    Port:           8080/TCP
    Host Port:      0/TCP
    State:          Waiting
      Reason:       ErrImagePull
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qv24l (ro)
      /var/www/html from redacted-data (rw)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True
...
Events:
  Type     Reason                  Age                From                     Message
  ----     ------                  ----               ----                     -------
  Warning  FailedScheduling        64s                default-scheduler        0/1 nodes are available: 1 pod has unbound immediate PersistentVolumeClaims. preemption: 0/1 nodes are available: 1 Preemption is not helpful for scheduling.
  Normal   Scheduled               62s                default-scheduler        Successfully assigned redacted/redacted-cgbrk to pool-2t9lbcb5l-7d37n
  Normal   SuccessfulAttachVolume  55s                attachdetach-controller  AttachVolume.Attach succeeded for volume "pvc-6c4aac85-bb60-44e8-b557-7f65d62543fa"
  Normal   Pulling                 16s (x3 over 54s)  kubelet                  Pulling image "registry.gitlab.com/redacted/mpro/redacted:latest"
  Warning  Failed                  16s (x3 over 54s)  kubelet                  Failed to pull image "registry.gitlab.com/redacted/redacted/redacted:latest": rpc error: code = Unknown desc = failed to pull and unpack image "registry.gitlab.com/redacted/redacted/redacted:latest": failed to resolve reference "registry.gitlab.com/redacted/redacted/redacted:latest": failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden
...

Answer 1

Kube.netes 使用與 docker 登錄名不同的單獨身份驗證，檢查您是否已使用所需的身份驗證配置 Kube.netes，以便它可以從您的私有注冊表中提取。

按照以下步驟操作：

1)登錄Docker中心

2）根據現有憑證創建一個Secret

3) 通過在命令行上提供憑據來創建 Secret

4)檢查秘密regcred

5) 創建一個使用你的 Secret 的 Pod

請在此處查看 K8S 問題： 從私有注冊表中拉取映像以獲取更多信息。

另請參閱此類似的SO以獲取更多信息。