K8S 拉取私有仓库镜像
在使用Kubernetes(k8s)从私有仓库拉取镜像时,会出现无法拉去镜像的情况,私有仓库需要认证才能访问,如果Kubernetes无法通过认证,就会导致拉取失败,这时我们就需要手动创建私有仓库的登录信息。
省流版
# 创建 secret
# 【harbor-docker】 自定义名称
# 【--namespace】 和应用在同一个命名空间下
# 【--docker-server】 仓库的地址
# 【--docker-username】 仓库的用户名
# 【--docker-password】 仓库的密码
[root@k8s-master01 ~]# kubectl create secret docker-registry harbor-docker --namespace=default --docker-server=z.oiox.cn:18082 --docker-username=admin --docker-password=123123
secret/harbor-docker created
[root@k8s-master01 ~]#
# 增加 imagePullSecrets 配置项
----略
spec:
containers:
- image: z.oiox.cn:18082/cby/cby:v1
imagePullPolicy: IfNotPresent
imagePullSecrets:
- name: harbor-docker
----略
完整测试详细的过程
构建私有仓库镜像
# 编写 Dockerfile
cat > Dockerfile <<EOF
FROM nginx
RUN echo '这是一个私有仓库的镜像' > /usr/share/nginx/html/index.html
EOF
# 构建镜像
docker build -t z.oiox.cn:18082/cby/cby:v1 .
# 登录镜像仓库
docker login z.oiox.cn:18082
# 推送镜像到私有仓库
docker push z.oiox.cn:18082/cby/cby:v1
使用docker测试
# 未登录进行拉去镜像
[root@ik-cby ~]# docker pull z.oiox.cn:18082/cby/cby:v1
Error response from daemon: unauthorized: unauthorized to access repository: cby/cby, action: pull: unauthorized to access repository: cby/cby, action: pull
[root@ik-cby ~]#
# 登录镜像仓库
[root@ik-cby ~]# docker login z.oiox.cn:18082
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
[root@ik-cby ~]#
# 登录之后进行拉去测试
[root@ik-cby ~]# docker pull z.oiox.cn:18082/cby/cby:v1
v1: Pulling from cby/cby
2d429b9e73a6: Pull complete
20c8b3871098: Pull complete
06da587a7970: Pull complete
f7895e95e2d4: Pull complete
7b25f3e99685: Pull complete
dffc1412b7c8: Pull complete
d550bb6d1800: Pull complete
dad691375a56: Pull complete
Digest: sha256:0deca38aaf759b58687737a2aa65840958af31d3ec8b41b68225ac2e91852876
Status: Downloaded newer image for z.oiox.cn:18082/cby/cby:v1
z.oiox.cn:18082/cby/cby:v1
[root@ik-cby ~]#
# 删除本地镜像
[root@ik-cby ~]# docker rmi z.oiox.cn:18082/cby/cby:v1
Untagged: z.oiox.cn:18082/cby/cby:v1
Untagged: z.oiox.cn:18082/cby/cby@sha256:0deca38aaf759b58687737a2aa65840958af31d3ec8b41b68225ac2e91852876
Deleted: sha256:8a398a3beb2e124c2e101af093691210c346d3d574e00195da5cefcb2ca3822b
Deleted: sha256:bd8801f29c0017595dae888d0bf92d8a9e828ae9a0fe7be8c4f46a383a65b982
Deleted: sha256:05f1422637e6596cdaff4a3ea77eea2d06652e9a36a6e85e4c88f4a6783db6cd
Deleted: sha256:aefc0beb891c07f82a5bec1301e3a1bfe8e08f27118313d167a606c2d768285b
Deleted: sha256:8006a840595ef554203de033c3b0291cfcc5ee9f194e8cc52b659f1b564d8efa
Deleted: sha256:15338037da38cef194cbdc29a4a6257ff2d41bd868891edee66714f828f48bd3
Deleted: sha256:13271298fdeb33a352a69704aa4b798b06501d6dd0e5ad4529075b4edbdb7e8f
Deleted: sha256:20e7b0616008dbafb4b049243f1c514a4df65536b02c19fbbb75a5c9f70784e4
Deleted: sha256:c3548211b8264f8bfa47a6727043a64f1791b82ac965a284a7ea187e971a95e2
[root@ik-cby ~]#
# 退出镜像仓库
[root@ik-cby ~]# docker logout z.oiox.cn:18082
Removing login credentials for z.oiox.cn:18082
[root@ik-cby ~]#
# 退出之后进行拉去测试
[root@ik-cby ~]# docker pull z.oiox.cn:18082/cby/cby:v1
Error response from daemon: unauthorized: unauthorized to access repository: cby/cby, action: pull: unauthorized to access repository: cby/cby, action: pull
[root@ik-cby ~]#
使用kubernetes进行拉去私有镜像
# 编写基础的测试样例
cat > cby.yaml <<EOF
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
spec:
type: NodePort
selector:
app: nginx
ports:
- port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: z.oiox.cn:18082/cby/cby:v1
ports:
- containerPort: 80
name: web
EOF
测试部署
# 执行部署应用
[root@k8s-master01 ~]# kubectl apply -f cby.yaml
service/nginx created
deployment.apps/web created
[root@k8s-master01 ~]#
# 查看pod已经报错拉去不到镜像
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 311 (21m ago) 13d
hello-server-588d6f5cd6-24ttg 1/1 Running 3 (9d ago) 63d
hello-server-588d6f5cd6-kxv45 1/1 Running 4 (9d ago) 63d
nginx-demo-cccbdc67f-6nkgd 1/1 Running 3 (9d ago) 63d
nginx-demo-cccbdc67f-h9p8d 1/1 Running 3 (9d ago) 63d
web-0 1/1 Running 1 (9d ago) 13d
web-1 1/1 Running 1 (9d ago) 13d
web-586946798b-n6dpg 0/1 ErrImagePull 0 7s
[root@k8s-master01 ~]#
# 查看svc信息
[root@k8s-master01 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-server ClusterIP 10.103.104.242 <none> 8000/TCP 63d
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 68d
nginx NodePort 10.111.106.93 <none> 80:30565/TCP 12s
nginx-demo ClusterIP 10.107.132.57 <none> 8000/TCP 63d
[root@k8s-master01 ~]#
[root@k8s-master01 ~]#
查看POD的详细信息
[root@k8s-master01 ~]# kubectl describe pod web-586946798b-n6dpg
Name: web-586946798b-n6dpg
Namespace: default
Priority: 0
Service Account: default
Node: k8s-node01/192.168.1.34
Start Time: Sat, 30 Nov 2024 12:26:52 +0800
Labels: app=nginx
pod-template-hash=586946798b
Annotations: <none>
Status: Pending
IP: 10.0.3.104
IPs:
IP: 10.0.3.104
Controlled By: ReplicaSet/web-586946798b
Containers:
nginx:
Container ID:
Image: z.oiox.cn:18082/cby/cby:v1
Image ID:
Port: 80/TCP
Host Port: 0/TCP
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-p7x5k (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-p7x5k:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 51s default-scheduler Successfully assigned default/web-586946798b-n6dpg to k8s-node01
Normal Pulling 12s (x3 over 50s) kubelet Pulling image "z.oiox.cn:18082/cby/cby:v1"
Warning Failed 12s (x3 over 50s) kubelet Failed to pull image "z.oiox.cn:18082/cby/cby:v1": Error response from daemon: unauthorized: unauthorized to access repository: cby/cby, action: pull: unauthorized to access repository: cby/cby, action: pull
Warning Failed 12s (x3 over 50s) kubelet Error: ErrImagePull
Normal BackOff 1s (x3 over 50s) kubelet Back-off pulling image "z.oiox.cn:18082/cby/cby:v1"
Warning Failed 1s (x3 over 50s) kubelet Error: ImagePullBackOff
[root@k8s-master01 ~]#
给集群配置密码信息
# 创建 secret
# 【harbor-docker】 自定义名称
# 【--namespace】 和应用在同一个命名空间下
# 【--docker-server】 仓库的地址
# 【--docker-username】 仓库的用户名
# 【--docker-password】 仓库的密码
[root@k8s-master01 ~]# kubectl create secret docker-registry harbor-docker --namespace=default --docker-server=z.oiox.cn:18082 --docker-username=admin --docker-password=123123
secret/harbor-docker created
[root@k8s-master01 ~]#
# 查看 secret 详细信息
[root@k8s-master01 ~]# kubectl get secret
NAME TYPE DATA AGE
harbor-docker kubernetes.io/dockerconfigjson 1 7s
[root@k8s-master01 ~]#
# 使用yaml的格式显示
[root@k8s-master01 ~]# kubectl describe secret harbor-docker
Name: harbor-docker
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 102 bytes
[root@k8s-master01 ~]#
[root@k8s-master01 ~]# kubectl get secret harbor-docker -o yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJ6Lm9pb3guY246MTgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiQ2J5MTIzLi4iLCJhdXRoIjoiWVdSdGFXNDZRMko1TVRJekxpND0ifX19
kind: Secret
metadata:
creationTimestamp: "2024-11-30T04:33:22Z"
name: harbor-docker
namespace: default
resourceVersion: "5235056"
uid: 03adf25f-3c1d-4942-bd1f-bb3c24b84608
type: kubernetes.io/dockerconfigjson
[root@k8s-master01 ~]#
更新服务yaml文件,添加引用创建的秘钥
# 查看依旧未成功拉去镜像
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 311 (32m ago) 13d
hello-server-588d6f5cd6-24ttg 1/1 Running 3 (9d ago) 63d
hello-server-588d6f5cd6-kxv45 1/1 Running 4 (9d ago) 63d
nginx-demo-cccbdc67f-6nkgd 1/1 Running 3 (9d ago) 63d
nginx-demo-cccbdc67f-h9p8d 1/1 Running 3 (9d ago) 63d
web-0 1/1 Running 1 (9d ago) 13d
web-1 1/1 Running 1 (9d ago) 13d
web-586946798b-n6dpg 0/1 ImagePullBackOff 0 10m
[root@k8s-master01 ~]#
# 增加 imagePullSecrets 配置项
----略
spec:
containers:
- image: z.oiox.cn:18082/cby/cby:v1
imagePullPolicy: IfNotPresent
imagePullSecrets:
- name: harbor-docker
----略
# 修改编辑 deployments
[root@k8s-master01 ~]# kubectl edit deployments.apps web
deployment.apps/web edited
[root@k8s-master01 ~]#
# 查看完整的配置
[root@k8s-master01 ~]# kubectl get deployments.apps web -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "2"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"web","namespace":"default"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"z.oiox.cn:18082/cby/cby:v1","name":"nginx","ports":[{"containerPort":80,"name":"web"}]}]}}}}
creationTimestamp: "2024-11-30T04:26:52Z"
generation: 2
name: web
namespace: default
resourceVersion: "5236110"
uid: c6225e80-5526-4dd9-8642-358bf186a79e
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: nginx
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: nginx
spec:
containers:
- image: z.oiox.cn:18082/cby/cby:v1
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
name: web
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: harbor-docker
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2024-11-30T04:38:40Z"
lastUpdateTime: "2024-11-30T04:38:40Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2024-11-30T04:38:36Z"
lastUpdateTime: "2024-11-30T04:38:40Z"
message: ReplicaSet "web-5bcf459779" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 2
readyReplicas: 1
replicas: 1
updatedReplicas: 1
[root@k8s-master01 ~]#
查看是否已成功启动容器
[root@k8s-master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 311 (33m ago) 13d
hello-server-588d6f5cd6-24ttg 1/1 Running 3 (9d ago) 63d
hello-server-588d6f5cd6-kxv45 1/1 Running 4 (9d ago) 63d
nginx-demo-cccbdc67f-6nkgd 1/1 Running 3 (9d ago) 63d
nginx-demo-cccbdc67f-h9p8d 1/1 Running 3 (9d ago) 63d
web-0 1/1 Running 1 (9d ago) 13d
web-1 1/1 Running 1 (9d ago) 13d
web-5bcf459779-pdbgm 1/1 Running 0 16s
[root@k8s-master01 ~]#
查看详细信息
[root@k8s-master01 ~]# kubectl describe po web-5bcf459779-pdbgm
Name: web-5bcf459779-pdbgm
Namespace: default
Priority: 0
Service Account: default
Node: k8s-node02/192.168.1.35
Start Time: Sat, 30 Nov 2024 12:38:36 +0800
Labels: app=nginx
pod-template-hash=5bcf459779
Annotations: <none>
Status: Running
IP: 10.0.0.14
IPs:
IP: 10.0.0.14
Controlled By: ReplicaSet/web-5bcf459779
Containers:
nginx:
Container ID: docker://fc107b489899b85f388db93eb4003e887df0107f13937471364f442fcf8a35d9
Image: z.oiox.cn:18082/cby/cby:v1
Image ID: docker-pullable://z.oiox.cn:18082/cby/cby@sha256:0deca38aaf759b58687737a2aa65840958af31d3ec8b41b68225ac2e91852876
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Sat, 30 Nov 2024 12:38:39 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-46c5x (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-46c5x:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 33s default-scheduler Successfully assigned default/web-5bcf459779-pdbgm to k8s-node02
Normal Pulling 32s kubelet Pulling image "z.oiox.cn:18082/cby/cby:v1"
Normal Pulled 31s kubelet Successfully pulled image "z.oiox.cn:18082/cby/cby:v1" in 1.538s (1.538s including waiting). Image size: 191717134 bytes.
Normal Created 30s kubelet Created container nginx
Normal Started 30s kubelet Started container nginx
[root@k8s-master01 ~]#
测试访问
[root@k8s-master01 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-server ClusterIP 10.103.104.242 <none> 8000/TCP 63d
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 68d
nginx NodePort 10.111.106.93 <none> 80:30565/TCP 17m
nginx-demo ClusterIP 10.107.132.57 <none> 8000/TCP 63d
[root@k8s-master01 ~]#
# 看到访问正常,已经可以访问刚才构建好的镜像
[root@k8s-master01 ~]# curl 10.111.106.93
这是一个私有仓库的镜像
[root@k8s-master01 ~]#
[root@k8s-master01 ~]#
[root@k8s-master01 ~]# curl 192.168.1.31:30565
这是一个私有仓库的镜像
[root@k8s-master01 ~]#
[root@k8s-master01 ~]#
关于
https://www.oiox.cn/index.php/start-page.html
CSDN、GitHub、51CTO、知乎、开源中国、思否、掘金、简书、华为云、阿里云、腾讯云、哔哩哔哩、今日头条、新浪微博、个人博客
全网可搜《小陈运维》
文章主要发布于微信公众号
