如何让我的Kubernetes复制控制器使用某个秘密来拉取图像?
我为我的复制控制器指定了一个特定的图像拉锁 ,但是在下载Docker镜像时似乎没有应用:
$ ~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf get events FIRSTSEEN LASTSEEN COUNT NAME KIND SUBOBJECT REASON SOURCE MESSAGE 8h 8s 3074 web-73na4 Pod spec.containers{web} Pulling {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Pulling image "quay.io/aknuds1/realtime-music" 8h 5s 3074 web-73na4 Pod spec.containers{web} Failed {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Failed to pull image "quay.io/aknuds1/realtime-music": image pull failed for quay.io/aknuds1/realtime-music, this may be because there are no credentials on this request. details: (Error: Status 403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission Denied\"}") 下载图像时如何让复制控制器使用图像拉锁“quay.io”? 复制控制器规格如下所示:
{ "kind": "ReplicationController", "apiVersion": "v1", "metadata": { "name": "web", "labels": { "app": "web" } }, "spec": { "replicas": 1, "selector": { "app": "web" }, "template": { "metadata": { "labels": { "app": "web" } }, "spec": { "containers": [ { "name": "web", "image": "quay.io/aknuds1/realtime-music", "ports": [ { "name": "http-server", "containerPort": 80 } ] } ], "imagePullSecrets": [ { "name": "quay.io" } ] } } } }
编辑
我创build了这样的quay.io机密: ~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf create -f /tmp/image-pull-secret.yaml 。 /tmp/image-pull-secret.yaml的内容基本上是这样的:
apiVersion: v1 kind: Secret metadata: name: quay.io data: .dockercfg: <base64 encoded dockercfg> type: kubernetes.io/dockercfg
kubectl get pods web-73na4 -o yaml输出kubectl get pods web-73na4 -o yaml ,以响应@PaulMorie
apiVersion: v1 kind: Pod metadata: annotations: kubernetes.io/created-by: | {"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"web","uid":"e1b7a3f0-e349-11e5-a136-02420a022e02","apiVersion":"v1","resourceVersion":"31503"}} creationTimestamp: 2016-03-06T03:16:56Z generateName: web- labels: app: web name: web-73na4 namespace: default resourceVersion: "31516" selfLink: /api/v1/namespaces/default/pods/web-73na4 uid: e1b89066-e349-11e5-a136-02420a022e02 spec: containers: - image: quay.io/aknuds1/realtime-music imagePullPolicy: IfNotPresent name: web ports: - containerPort: 80 name: http-server protocol: TCP resources: {} terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-5s7kd readOnly: true dnsPolicy: ClusterFirst nodeName: ip-172-31-29-110.eu-central-1.compute.internal restartPolicy: Always serviceAccount: default serviceAccountName: default terminationGracePeriodSeconds: 30 volumes: - name: default-token-5s7kd secret: secretName: default-token-5s7kd status: conditions: - lastProbeTime: null lastTransitionTime: null status: "False" type: Ready containerStatuses: - image: quay.io/aknuds1/realtime-music imageID: "" lastState: {} name: web ready: false restartCount: 0 state: waiting: message: 'image pull failed for quay.io/aknuds1/realtime-music, this may be because there are no credentials on this request. details: (Error: Status 403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission Denied\"}")' reason: PullImageError hostIP: 172.31.29.110 phase: Pending podIP: 10.2.2.3 startTime: 2016-03-06T03:16:56Z
更新 (这是我做的使用私人图像):
首先loginquay.io:
$ docker login quay.io Username (username): Password: WARNING: login credentials saved in /Users/user/.docker/config.json Login Succeeded
然后,我创build了一个新的文件(my-credentials.json),只有docker在config.json文件中添加了quay.io凭据(我意识到除了quay.io之外,它拥有更多凭据)。
$ cat config.json { "quay.io": { "auth": "xxxxxxxxxxxxxxxxxxxxx", "email": "user@example.com" } }
之后,我生成了base64:
$ cat ./my-credentials.json | base64 <base64-value>
我创造了这个秘密资源:
apiVersion: v1 kind: Secret metadata: name: myregistrykey data: .dockercfg: <base64-value> type: kubernetes.io/dockercfg $ kubectl create -f image-pull-secret.yaml
最后,我创build了pod:
{ "kind": "ReplicationController", "apiVersion": "v1", "metadata": { "name": "web", "labels": { "app": "web" } }, "spec": { "replicas": 1, "selector": { "app": "web" }, "template": { "metadata": { "labels": { "app": "web" } }, "spec": { "containers": [ { "name": "web", "image": "quay.io/username/myimage", "ports": [ { "name": "http-server", "containerPort": 80 } ] } ], "imagePullSecrets": [ { "name": "myregistrykey" } ] } } } } $ kubectl create -f pod.yaml
我已经使用myregistrykey作为imagePullSecrets而不是myregistrykey的名称,但我不认为这是问题所在。
这个问题似乎是由于你没有创build一个secret来保存你的凭证。
请注意, imagePullSecrets部分中的name键值(在您的情况下为“quay.io”)应该与您在secret资源中指定的值相同。