1. 前言
k8s在默認情況下,只能拉取harbor鏡像倉庫的公有鏡像,如果拉取私有倉庫鏡像,則是會報 ErrImagePull 和 ImagePullBackOff 的錯誤:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 13s default-scheduler Successfully assigned learn/web-7c9c86c7d-hkh79 to k8s-master1
Normal Pulling 12s kubelet Pulling image "192.168.18.100:80/lnmp/nginx:v2"
Warning Failed 12s kubelet Failed to pull image "192.168.18.100:80/lnmp/nginx:v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for 192.168.18.100:80/lnmp/nginx, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Warning Failed 12s kubelet Error: ErrImagePull
Normal BackOff 11s kubelet Back-off pulling image "192.168.18.100:80/lnmp/nginx:v2"
Warning Failed 11s kubelet Error: ImagePullBackOff
解決辦法:
- 在harbor倉庫中把鏡像的項目設置為公開。
- 創建認證登錄秘鑰,拉取鏡像時帶上該秘鑰。
2. k8s使用秘鑰拉取harbor私有鏡像
2.1 登錄Docker
在服務器上,要想拉取私有鏡像必須先在鏡像倉庫上進行身份驗證,即登錄harbor倉庫:
[root@k8s-master ~]# docker login 192.168.18.100:80
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
我這里已經登錄過了,所以會更新保存有授權令牌的 config.json 文件,這個就是登錄Harbor的秘鑰文件。從提示中可以看到是在 /root/.docker/config.json 中。這個文件內容如下:
[root@k8s-master ~]# cat /root/.docker/config.json
{
"auths": {
"192.168.18.100:80": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.9 (linux)"
}
}
2.2 對秘鑰文件進行base64加密
[root@k8s-master ~]# cat ~/.docker/config.json |base64 -w 0
ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjE4LjEwMDo4MCI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy45IChsaW51eCkiCgl9Cn0=
2.3 k8s創建secret秘鑰
創建 docker-secret.yaml 文件
apiVersion: v1
kind: Secret
metadata:
name: docker-login
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjE4LjEwMDo4MCI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy45IChsaW51eCkiCgl9Cn0=
創建secret:
[root@k8s-master ~]# kubectl create -f docker-secret.yaml
查看secret:
[root@k8s-master ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-dbmds kubernetes.io/service-account-token 3 28d
docker-login kubernetes.io/dockerconfigjson 1 5h53m
2.4 創建應用,拉取Harbor私有倉庫鏡像
文件 nginx.yaml 內容如下:
apiVersion: apps/v1
kind: Deployment
metadata:
name: web02
labels:
app: web02
namespace: learn
spec:
replicas: 1
selector:
matchLabels:
app: web02
template:
metadata:
labels:
app: web02
spec:
containers:
- image: 192.168.18.100:80/lnmp/nginx:v2
imagePullPolicy: IfNotPresent
name: nginx
imagePullSecrets:
- name: docker-login
dnsPolicy: ClusterFirst
restartPolicy: Always
可以看到鏡像成功拉取,Pod正常運行了:
[root@k8s-master ~]# kubectl -n learn get pods
NAME READY STATUS RESTARTS AGE
web02-76969fc49b-j6fb4 1/1 Running 0 41s
[root@k8s-master ~]# kubectl -n learn get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
web02 1/1 1 1 49s
上面yaml文件中,拉取鏡像下面攜帶秘鑰的字段是 imagePullSecrets ,值填的是上面創建secret的名字。