Kubernetes 使用 私有 docker 倉庫並解決SSL憑證問題

要在 Kubernetes 使用私有倉庫並不難

只需要照著官方的教學設定即可

當我在用 minikube 時卻一直無法成功 pull image

我的 pod yaml 設定:

apiVersion: v1 kind: Pod metadata: name: my-first-pod labels: app: nginx-server spec: containers: - name: pod-demo-nginx image: xxx.xxx.xxx.xxx/k8s-demo/nginx-demo:v1 ports: - containerPort: 80 imagePullSecrets: - name: myprivatesecret

加入 pod

 $ kubectl create -f first-pod.yml                                 
pod "my-first-pod" created

 $ kubectl get pod                                                 
NAME           READY     STATUS         RESTARTS   AGE
my-first-pod   0/1       ErrImagePull   0          0s

錯誤一直是 pull image error

查看詳細資訊

 $ kubectl describe pod my-first-pod                               [12:51:51]
Name:         my-first-pod
Namespace:    default
Node:         minikube/192.168.99.100
Start Time:   Sat, 20 Jan 2018 12:50:43 +0800
Labels:       app=nginx-server
Annotations:  <none>
Status:       Pending
IP:           172.17.0.3
Containers:
  pod-demo-nginx:
    Container ID:
    Image:          xxx.xxx.xxx.xxx/k8s-demo/nginx-demo:v1
    Image ID:
    Port:           80/TCP
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-mrl4l (ro)
Conditions:
  Type           Status
  Initialized    True
  Ready          False
  PodScheduled   True
Volumes:
  default-token-mrl4l:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-mrl4l
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     <none>
Events:
  Type     Reason                 Age               From               Message
  ----     ------                 ----              ----               -------
  Normal   Scheduled              1m                default-scheduler  Successfully assigned my-first-pod to minikube
  Normal   SuccessfulMountVolume  1m                kubelet, minikube  MountVolume.SetUp succeeded for volume "default-token-mrl4l"
  Normal   BackOff                19s (x5 over 1m)  kubelet, minikube  Back-off pulling image "xxx.xxx.xxx.xxx/k8s-demo/nginx-demo:v1"
  Normal   Pulling                6s (x4 over 1m)   kubelet, minikube  pulling image "xxx.xxx.xxx.xxx/k8s-demo/nginx-demo:v1"
  Warning  Failed                 6s (x4 over 1m)   kubelet, minikube  Failed to pull image "xxx.xxx.xxx.xxx/k8s-demo/nginx-demo:v1": rpc error: code = Unknown desc = Error response from daemon: Get https://xxx.xxx.xxx.xxx/v2/: x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs
  Warning  FailedSync             6s (x9 over 1m)   kubelet, minikube  Error syncing pod

這才發現關鍵的錯誤訊息

Failed to pull image "xxx.xxx.xxx.xxx/k8s-demo/nginx-demo:v1": rpc error: code = Unknown desc = Error response from daemon: Get https://xxx.xxx.xxx.xxx/v2/: x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs

原來是認證沒通過

但我有在本機加入 insecure region

所以一直都可以正常 pull image

想了一想

kubernetes 是控制 minikube

所以是在 minikube 裡 pull image

而 minikube 並沒有加入 insecure 的設定!

找了方法

要在啟動時加入參數

如果已經啟動之後這參數會被忽略

重新啟動也一樣

所以要先刪除現有 minikube

再重建一個才可以

 $ minikube delete                                                 
Deleting local Kubernetes cluster...
Machine deleted.

重新啟動,並加入 insecure 參數

 $ minikube start --insecure-registry="xxx.xxx.xxx.xxx"             
Starting local Kubernetes v1.8.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Setting up certs...
Connecting to cluster...
Setting up kubeconfig...
Starting cluster components...
Kubectl is now configured to use the cluster.
Loading cached images from config file.

再重建 pod

 $ kubectl create -f first-pod.yml                                 
pod "my-first-pod" created
 $ kubectl get pod my-first-pod                                    [13:21:32]
NAME           READY     STATUS    RESTARTS   AGE
my-first-pod   1/1       Running   0          11s

發現成功run了!

看更多