kubernetes无法从私有docker注册表中提取图像
我想创建一个自定义的docker映像,并能够使用kubernetes从私有docker注册表中提取自定义的docker映像。以下是我的设置: 环境: docker注册ip:10.179.143.115 库伯内特斯硕士ip:10.179.143.113kubernetes无法从私有docker注册表中提取图像,kubernetes,docker-registry,Kubernetes,Docker Registry,我想创建一个自定义的docker映像,并能够使用kubernetes从私有docker注册表中提取自定义的docker映像。以下是我的设置: 环境: docker注册ip:10.179.143.115 库伯内特斯硕士ip:10.179.143.113 生成证书: 创建docker注册表: docker run-d--restart=always--name注册表-v `pwd`/certs:/certs-e REGISTRY\u HTTP\u ADDR=0.0.0.0:443-e REGISTR
REPOSITORY TAG IMAGE ID CREATED SIZE
gcr.io/google_containers/kube-apiserver-amd64 v1.9.3 360d55f91cbf 3 weeks ago 210 MB
gcr.io/google_containers/kube-controller-manager-amd64 v1.9.3 83dbda6ee810 3 weeks ago 138 MB
gcr.io/google_containers/kube-proxy-amd64 v1.9.3 35fdc6da5fd8 3 weeks ago 109 MB
gcr.io/google_containers/kube-scheduler-amd64 v1.9.3 d3534b539b76 3 weeks ago 62.7 MB
quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 5 weeks ago 44.6 MB
gcr.io/google_containers/etcd-amd64 3.1.11 59d36f27cceb 2 months ago 194 MB
gcr.io/google_containers/k8s-dns-sidecar-amd64 1.14.7 db76ee297b85 4 months ago 42 MB
gcr.io/google_containers/k8s-dns-kube-dns-amd64 1.14.7 5d049a8c4eec 4 months ago 50.3 MB
gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64 1.14.7 5feec37454f4 4 months ago 41 MB
gcr.io/google_containers/pause-amd64 3.0 99e59f495ffa 22 months ago 747 kB
root@kubernetes-master:~# docker pull 10.179.143.115/test-tomcat
Using default tag: latest
latest: Pulling from test-tomcat
f0f063e89695: Pull complete
d9b7671d4a80: Pull complete
6eb55822688c: Pull complete
a85cc2721f25: Pull complete
ee9e2e7b610a: Pull complete
562dd1fb5637: Pull complete
e8e2e3cceeee: Pull complete
86cbf3cde839: Pull complete
3678522c43a2: Pull complete
50ea7ae5efa3: Pull complete
e81b257a8ae8: Pull complete
5b298dc937bc: Pull complete
Digest: sha256:332fa1b89534f0b0e45c636a26edb8520b15bcdfc05ef5450efae3e71d1b1361
Status: Downloaded newer image for 10.179.143.115/test-tomcat:latest
5.但是,当我想要创建kubernete吊舱时:
请忍受我糟糕的格式,并提前感谢 据我所知,必须创建一个秘密资源才能使用私有docker注册表。参考 据我所知,必须创建一个秘密资源才能使用私有docker注册表。参考 谢谢大家的帮助!下面是我如何使其工作的后续说明
当我将所有证书复制到kubenetes master时,我能够从我的私人注册表中提取和推送docker图像。但当我想要创建kubernetes吊舱时,它不起作用。我意识到我还需要把所有的证书复制到我的kubernetes奴隶那里是kubernetes从私人docker注册表中提取图像的地方。在我将证书复制到“/usr/local/share/ca certificates/”并运行“sudo update ca certificates;sudo service docker restart”之后,我现在就可以创建POD了 谢谢大家的帮助!下面是我如何使其工作的后续说明
当我将所有证书复制到kubenetes master时,我能够从我的私人注册表中提取和推送docker图像。但当我想要创建kubernetes吊舱时,它不起作用。我意识到我还需要把所有的证书复制到我的kubernetes奴隶那里是kubernetes从私人docker注册表中提取图像的地方。在我将证书复制到“/usr/local/share/ca certificates/”并运行“sudo update ca certificates;sudo service docker restart”之后,我现在就可以创建POD了 谢谢你的回复!但是,当我创建docker注册表时,我没有设置任何限制访问docker注册表的选项。这就是我指的问题。我必须设置身份验证吗?您看到的错误是因为docker守护程序无法登录到私有注册表,因为它在未签名状态下使用的证书。看看这里谢谢你的回复。我知道证书未签名,我已将我的证书放入kubernetes master并运行“更新ca证书”。这将解决证书问题,我可以做“docker push”。但我仍然无法从库伯内特斯开始拍摄这张照片。我可以想到两种选择,尽管这两种选择都不能直接回答你的问题。第一个选项,查看是否有帮助:。第二,如果使用--unsecureregistry对您的情况有帮助,请尝试。在我的例子中,docker-sysconfig.conf中添加了不安全的注册表项,kubernetes从private repo中提取图像的工作很好。非常感谢。我想我找到了问题所在。我的设置是一个两节点的kubernetes群集,我只更新kubernetes master上的证书,但是,kubernetes slave也应该更新。这也解释了为什么我可以做码头工人拉和推从主人。谢谢你的答复!但是,当我创建docker注册表时,我没有设置任何限制访问docker注册表的选项。这就是我指的问题。我必须设置身份验证吗?您看到的错误是因为docker守护程序无法登录到私有注册表,因为它在未签名状态下使用的证书。看看这里谢谢你的回复。我知道证书未签名,我已将我的证书放入kubernetes master并运行“更新ca证书”。这将解决证书问题,我可以做“docker push”。但我仍然无法从库伯内特斯开始拍摄这张照片。我可以想到两种选择,尽管这两种选择都不能直接回答你的问题。第一个选项,查看是否有帮助:。第二,如果使用--unsecureregistry对您的情况有帮助,请尝试。在我的例子中,docker-sysconfig.conf中添加了不安全的注册表项,kubernetes从private repo中提取图像的工作很好。非常感谢。我想我找到了问题所在。我的设置是一个两节点的kubernetes群集,我只更新kubernetes master上的证书,但是,kubernetes slave也应该更新。这也解释了为什么我可以做码头工人拉和推从主人。
docker pull tomcat
docker tag tomcat 10.179.143.115/test-tomcat
docker push 10.179.143.115/test-tomcat
copy selfsigned.*(crt and key file) to /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo service docker restart
REPOSITORY TAG IMAGE ID CREATED SIZE
gcr.io/google_containers/kube-apiserver-amd64 v1.9.3 360d55f91cbf 3 weeks ago 210 MB
gcr.io/google_containers/kube-controller-manager-amd64 v1.9.3 83dbda6ee810 3 weeks ago 138 MB
gcr.io/google_containers/kube-proxy-amd64 v1.9.3 35fdc6da5fd8 3 weeks ago 109 MB
gcr.io/google_containers/kube-scheduler-amd64 v1.9.3 d3534b539b76 3 weeks ago 62.7 MB
quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 5 weeks ago 44.6 MB
gcr.io/google_containers/etcd-amd64 3.1.11 59d36f27cceb 2 months ago 194 MB
gcr.io/google_containers/k8s-dns-sidecar-amd64 1.14.7 db76ee297b85 4 months ago 42 MB
gcr.io/google_containers/k8s-dns-kube-dns-amd64 1.14.7 5d049a8c4eec 4 months ago 50.3 MB
gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64 1.14.7 5feec37454f4 4 months ago 41 MB
gcr.io/google_containers/pause-amd64 3.0 99e59f495ffa 22 months ago 747 kB
root@kubernetes-master:~# docker pull 10.179.143.115/test-tomcat
Using default tag: latest
latest: Pulling from test-tomcat
f0f063e89695: Pull complete
d9b7671d4a80: Pull complete
6eb55822688c: Pull complete
a85cc2721f25: Pull complete
ee9e2e7b610a: Pull complete
562dd1fb5637: Pull complete
e8e2e3cceeee: Pull complete
86cbf3cde839: Pull complete
3678522c43a2: Pull complete
50ea7ae5efa3: Pull complete
e81b257a8ae8: Pull complete
5b298dc937bc: Pull complete
Digest: sha256:332fa1b89534f0b0e45c636a26edb8520b15bcdfc05ef5450efae3e71d1b1361
Status: Downloaded newer image for 10.179.143.115/test-tomcat:latest
test.yaml:
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- name: test
image: 10.179.143.115/test-tomcat
kubectl create -f test.yaml
root@kubernetes-master:~# kubectl describe pods test
Name: test
Namespace: default
Node: kubernetes-node/10.179.143.114
Start Time: Fri, 02 Mar 2018 15:02:20 -0500
Labels: <none>
Annotations: <none>
Status: Pending
IP:
Containers:
test:
Container ID:
Image: 10.179.143.115/test-tomcat
Image ID:
Port: <none>
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-lvz9r (ro)
Conditions:
Type Status
Initialized True
Ready False
PodScheduled True
Volumes:
default-token-lvz9r:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-lvz9r
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 32s default-scheduler Successfully assigned test to kubernetes-node
Normal SuccessfulMountVolume 31s kubelet, kubernetes-node MountVolume.SetUp succeeded for volume "default-token-lvz9r"
Normal Pulling 9s (x2 over 21s) kubelet, kubernetes-node pulling image "10.179.143.115/test-tomcat"
Warning Failed 9s (x2 over 21s) kubelet, kubernetes-node Failed to pull image "10.179.143.115/test-tomcat": rpc error: code = Unknown desc = Error response from daemon: Get https://10.179.143.115/v1/_ping: x509: certificate signed by unknown authority
Warning Failed 9s (x2 over 21s) kubelet, kubernetes-node Error: ErrImagePull
Normal SandboxChanged 9s (x2 over 20s) kubelet, kubernetes-node Pod sandbox changed, it will be killed and re-created.
Failed to pull image "10.179.143.115/test-tomcat": rpc error: code = Unknown desc = Error response from daemon: Get https://10.179.143.115/v1/_ping: x509: certificate signed by unknown authority