k8s Harbor
k8s 从 harbor 中拉取镜像的方法以及使用 https 的 harbor 如何认证连接
创建secret配置
在一台已经登陆过(docker login)harbor的机器上执行下面的命令,得到一个base64编码后的字符串
cat /root/.docker/config.json |base64
创建配置文件,比如:harbor-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: 指定secret名称
data:
.dockerconfigjson: 上面得到的base64编码字符串,不能换行
type: kubernetes.io/dockerconfigjson
创建配置
kubectl apply -f harbor-secret.yaml
使用secret
在 imagePullSecrets.name
下设置 secret名称
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-deployment
spec:
replicas: 2
selector:
matchLabels:
app: redis-server
template:
metadata:
labels:
app: redis-server
spec:
containers:
- name: redis-server
image: 192.168.5.3/public/redis:latest
ports:
- containerPort: 6379
imagePullSecrets:
- name: secret名称
harbor https 注意事项
如果 harbor 使用了https,那么k8s的所有节点都必须信任
两种方式解决
手动修改docker配置文件增加
"insecure-registries": ["192.168.5.3"]
参数,之后手动执行docker login
命令来登录harbor
,每个节点都需要执行信任
harbor
的证书颁发机构(ca), 导入ca.pem
证书到系统
CentOS7导入ca证书
下面的ca证书文件路径需要修改成自己的证书位置
cp /etc/docker/certs.d/192.168.5.3/ca.pem /etc/pki/ca-trust/source/anchors/ &&\
ln -s /etc/pki/ca-trust/source/anchors/ca.pem /etc/ssl/certs/self.ca.pem &&\
update-ca-trust && systemctl restart docker
k8s拉取镜像x509报错提示
[root@k8s-master-1 anchors]# kubectl describe pod redis-deployment-56bc5b5d87-lzxlt
Name: redis-deployment-56bc5b5d87-lzxlt
.............
...........
........
......
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 13m default-scheduler Successfully assigned default/redis-deployment-56bc5b5d87-lzxlt to k8s-master-2
Normal Pulling 12m (x4 over 13m) kubelet Pulling image "192.168.5.3/public/redis:latest"
Warning Failed 12m (x4 over 13m) kubelet Failed to pull image "192.168.5.3/public/redis:latest": rpc error: code = Unknown desc = Error response from daemon: Get "https://192.168.5.3/v2/": x509: certificate signed by unknown authority
Warning Failed 12m (x4 over 13m) kubelet Error: ErrImagePull
Warning Failed 12m (x6 over 13m) kubelet Error: ImagePullBackOff
Normal BackOff 3m47s (x42 over 13m) kubelet Back-off pulling image "192.168.5.3/public/redis:latest"