k8s Harbor

发表于 更新于 分类于 阅读次数:

k8s 从 harbor 中拉取镜像的方法以及使用 https 的 harbor 如何认证连接

创建secret配置

在一台已经登陆过(docker login)harbor的机器上执行下面的命令,得到一个base64编码后的字符串

1
cat /root/.docker/config.json |base64

创建配置文件,比如:harbor-secret.yaml

1
2
3
4
5
6
7
apiVersion: v1
kind: Secret
metadata:
  name: 指定secret名称
data:
  .dockerconfigjson: 上面得到的base64编码字符串,不能换行
type: kubernetes.io/dockerconfigjson

创建配置

1
kubectl apply -f harbor-secret.yaml

使用secret

imagePullSecrets.name 下设置 secret名称

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: redis-server
  template:
    metadata:
      labels:
        app: redis-server
    spec:
      containers:
      - name: redis-server
        image: 192.168.5.3/public/redis:latest
        ports:
        - containerPort: 6379
      imagePullSecrets:
      - name: secret名称

harbor https 注意事项

如果 harbor 使用了https,那么k8s的所有节点都必须信任

两种方式解决

  • 手动修改docker配置文件增加"insecure-registries": ["192.168.5.3"]参数,之后手动执行docker login命令来登录harbor,每个节点都需要执行

  • 信任harbor的证书颁发机构(ca), 导入ca.pem证书到系统

CentOS7导入ca证书

下面的ca证书文件路径需要修改成自己的证书位置

1
2
3
cp /etc/docker/certs.d/192.168.5.3/ca.pem /etc/pki/ca-trust/source/anchors/ &&\
   ln -s /etc/pki/ca-trust/source/anchors/ca.pem /etc/ssl/certs/self.ca.pem &&\
   update-ca-trust && systemctl restart docker

k8s拉取镜像x509报错提示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@k8s-master-1 anchors]# kubectl describe pod redis-deployment-56bc5b5d87-lzxlt 
Name:         redis-deployment-56bc5b5d87-lzxlt
.............
...........
........
......
Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
  Normal   Scheduled  13m                   default-scheduler  Successfully assigned default/redis-deployment-56bc5b5d87-lzxlt to k8s-master-2
  Normal   Pulling    12m (x4 over 13m)     kubelet            Pulling image "192.168.5.3/public/redis:latest"
  Warning  Failed     12m (x4 over 13m)     kubelet            Failed to pull image "192.168.5.3/public/redis:latest": rpc error: code = Unknown desc = Error response from daemon: Get "https://192.168.5.3/v2/": x509: certificate signed by unknown authority
  Warning  Failed     12m (x4 over 13m)     kubelet            Error: ErrImagePull
  Warning  Failed     12m (x6 over 13m)     kubelet            Error: ImagePullBackOff
  Normal   BackOff    3m47s (x42 over 13m)  kubelet            Back-off pulling image "192.168.5.3/public/redis:latest"