无法从外部访问OpenShift 4.2内置docker注册表
我有一个OpenShift 4.2的kubeadmin帐户,并且能够通过无法从外部访问OpenShift 4.2内置docker注册表,openshift,Openshift,我有一个OpenShift 4.2的kubeadmin帐户,并且能够通过oc login-u kubeadmin成功登录 如中所述,我通过DefaultRoute公开了内置docker注册表 我的docker客户端在macOS上运行,并配置为信任注册表的默认自签名证书 openssl s_client -showcerts -connect $(oc registry info) </dev/null 2>/dev/null|openssl x509 -outform PEM >
oc login-u kubeadminopenssl s_client -showcerts -connect $(oc registry info) </dev/null 2>/dev/null|openssl x509 -outform PEM > tls.pem
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain tls.pem
error authorizing context: authorization header required
invalid token: Unauthorized
oc logs -f -n openshift-image-registry deployments/image-registry
time="2019-11-29T18:03:25.581914855Z" level=warning msg="error authorizing context: authorization header required" go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=aa41909a-4aa0-42a5-9568-91aa77c7f7ab http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri=/v2/ http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))"
time="2019-11-29T18:03:25.581958296Z" level=info msg=response go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=d2216e3a-0e12-4e77-b3cb-fd47b6f9a804 http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri=/v2/ http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration="923.654µs" http.response.status=401 http.response.written=87
time="2019-11-29T18:03:26.187770058Z" level=error msg="invalid token: Unauthorized" go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=638fc003-1d4a-433c-950e-f9eb9d5328c4 http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri="/openshift/token?account=kube%3Aadmin&client_id=docker&offline_token=true" http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))"
time="2019-11-29T18:03:26.187818779Z" level=info msg=response go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=5486d94a-f756-401b-859d-0676e2a28465 http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri="/openshift/token?account=kube%3Aadmin&client_id=docker&offline_token=true" http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))" http.response.contenttype=application/json http.response.duration=6.97799ms http.response.status=401 http.response.written=0
oc version
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.0+b4261e0", GitCommit:"b4261e07ed", GitTreeState:"clean", BuildDate:"2019-07-06T03:16:01Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.6+2e5ed54", GitCommit:"2e5ed54", GitTreeState:"clean", BuildDate:"2019-10-10T22:04:13Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"}
docker info
Client:
Debug Mode: false
Server:
Containers: 7
Running: 0
Paused: 0
Stopped: 7
Images: 179
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.184-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 5.818GiB
Name: docker-desktop
ID: JRNE:4IBW:MUMK:CGKT:SMWT:27MW:D6OO:YFE5:3KVX:AEWI:QC7M:IBN4
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 29
Goroutines: 44
System Time: 2019-11-29T21:12:21.3565037Z
EventsListeners: 2
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
oc policy add-role-to-user registry-viewer kubeadmin
oc policy add-role-to-user registry-viewer kube:admin
对于我可以尝试什么或如何进一步诊断问题,是否有任何建议?我可以从集群内访问注册表,但是,我需要通过
docker loginoc adm policy add-cluster-role-to-user registry-viewer kubeadmin
你可以参考他们的代码来使用内部注册表。听起来很傻,问题是
$(oc whoami)kube:adminkubeadmindocker login $(oc registry info) -u $(oc whoami) -p $(oc whoami -t)
oc policy add-role-to-user registry-viewer kubeadmin
oc adm policy add-cluster-role-to-user registry-viewer kubeadmin
您提供的链接是针对OKD(OpenShift Origin),而我正在使用商用OpenShift 4.2。命令似乎已更改,我尝试了以下操作,结果相同:`` oc策略将角色添加到用户注册表查看器kube:admin oc策略将角色添加到用户注册表编辑器kube:admin oc策略将角色添加到用户注册表查看器kubeadmin oc策略将角色添加到用户注册表编辑器kubeadmin``来自文档是:您可以检查您使用的oc客户端版本吗?oc版本客户端版本:version.Info{Major:“4”,Minor:“1+”,GitVersion:“v4.1.0+b4261e0”,GitCommit:“b4261e07ed”,GitTreeState:“clean”,BuildDate:“2019-07-06T03:16:01Z”,GoVersion:“go1.12.6”,编译器:“gc”,平台:“darwin/amd64”}服务器版本:version.Info{Major:“1”,小调:“14+”,GitVersion:“v1.14.6+2e5ed54”,GitCommit:“2e5ed54”,GitTreeState:“clean”,构建日期:“2019-10-10T22:04:13Z”,政府版本:“go1.12.8”,编译器:“gc”,平台:“linux/amd64”}
docker login $(oc registry info) -u kubeadmin -p $(oc whoami -t)
oc policy add-role-to-user registry-viewer kubeadmin
oc adm policy add-cluster-role-to-user registry-viewer kubeadmin