如何让我的 Kubernetes 复制控制器使用特定的秘密来拉取图像?
How do I make my Kubernetes replication controller use a certain secret to pull an image?
我已经为我的复制控制器指定了某个 image pull secret,但是在下载 Docker 图像时它似乎没有被应用:
$ ~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf get events
FIRSTSEEN LASTSEEN COUNT NAME KIND SUBOBJECT REASON SOURCE MESSAGE
8h 8s 3074 web-73na4 Pod spec.containers{web} Pulling {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Pulling image "quay.io/aknuds1/realtime-music"
8h 5s 3074 web-73na4 Pod spec.containers{web} Failed {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Failed to pull image "quay.io/aknuds1/realtime-music": image pull failed for quay.io/aknuds1/realtime-music, this may be because there are no credentials on this request. details: (Error: Status 403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission Denied\"}")
如何让复制控制器在下载镜像时使用镜像拉取密钥"quay.io"?复制控制器规范如下所示:
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "web",
"labels": {
"app": "web"
}
},
"spec": {
"replicas": 1,
"selector": {
"app": "web"
},
"template": {
"metadata": {
"labels": {
"app": "web"
}
},
"spec": {
"containers": [
{
"name": "web",
"image": "quay.io/aknuds1/realtime-music",
"ports": [
{
"name": "http-server",
"containerPort": 80
}
]
}
],
"imagePullSecrets": [
{
"name": "quay.io"
}
]
}
}
}
}
编辑
我创建了这样的 quay.io 秘密:~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf create -f /tmp/image-pull-secret.yaml。 /tmp/image-pull-secret.yaml的内容基本是这样的:
apiVersion: v1
kind: Secret
metadata:
name: quay.io
data:
.dockercfg: <base64 encoded dockercfg>
type: kubernetes.io/dockercfg
来自 kubectl get pods web-73na4 -o yaml 的输出,以响应 @PaulMorie
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/created-by: |
{"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"web","uid":"e1b7a3f0-e349-11e5-a136-02420a022e02","apiVersion":"v1","resourceVersion":"31503"}}
creationTimestamp: 2016-03-06T03:16:56Z
generateName: web-
labels:
app: web
name: web-73na4
namespace: default
resourceVersion: "31516"
selfLink: /api/v1/namespaces/default/pods/web-73na4
uid: e1b89066-e349-11e5-a136-02420a022e02
spec:
containers:
- image: quay.io/aknuds1/realtime-music
imagePullPolicy: IfNotPresent
name: web
ports:
- containerPort: 80
name: http-server
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-5s7kd
readOnly: true
dnsPolicy: ClusterFirst
nodeName: ip-172-31-29-110.eu-central-1.compute.internal
restartPolicy: Always
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
volumes:
- name: default-token-5s7kd
secret:
secretName: default-token-5s7kd
status:
conditions:
- lastProbeTime: null
lastTransitionTime: null
status: "False"
type: Ready
containerStatuses:
- image: quay.io/aknuds1/realtime-music
imageID: ""
lastState: {}
name: web
ready: false
restartCount: 0
state:
waiting:
message: 'image pull failed for quay.io/aknuds1/realtime-music, this may be
because there are no credentials on this request. details: (Error: Status
403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission
Denied\"}")'
reason: PullImageError
hostIP: 172.31.29.110
phase: Pending
podIP: 10.2.2.3
startTime: 2016-03-06T03:16:56Z
更新(这是我使用私有镜像所做的):
首次登录quay.io:
$ docker login quay.io
Username (username):
Password:
WARNING: login credentials saved in /Users/user/.docker/config.json
Login Succeeded
然后我创建了一个新文件 (my-credentials.json),它只包含 docker 添加到 config.json 文件中的 quay.io 凭据(我意识到它除了 quay.io).
之外还有更多凭据
$ cat config.json
{
"quay.io": {
"auth": "xxxxxxxxxxxxxxxxxxxxx",
"email": "user@example.com"
}
}
之后,我生成了base64:
$ cat ./my-credentials.json | base64
<base64-value>
我创建了秘密资源:
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
data:
.dockercfg: <base64-value>
type: kubernetes.io/dockercfg
$ kubectl create -f image-pull-secret.yaml
最后,我创建了 pod:
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "web",
"labels": {
"app": "web"
}
},
"spec": {
"replicas": 1,
"selector": {
"app": "web"
},
"template": {
"metadata": {
"labels": {
"app": "web"
}
},
"spec": {
"containers": [
{
"name": "web",
"image": "quay.io/username/myimage",
"ports": [
{
"name": "http-server",
"containerPort": 80
}
]
}
],
"imagePullSecrets": [
{
"name": "myregistrykey"
}
]
}
}
}
}
$ kubectl create -f pod.yaml
我使用 myregistrykey 作为 imagePullSecrets 的名称而不是 quay.io,但我认为问题不在于此。
问题似乎是因为您没有创建 secret 来保存您的凭据。
请注意 imagePullSecrets 部分中 name 键的值(在您的情况下 "quay.io")应该与您在 secret 资源中指定的值相同.
我已经为我的复制控制器指定了某个 image pull secret,但是在下载 Docker 图像时它似乎没有被应用:
$ ~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf get events
FIRSTSEEN LASTSEEN COUNT NAME KIND SUBOBJECT REASON SOURCE MESSAGE
8h 8s 3074 web-73na4 Pod spec.containers{web} Pulling {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Pulling image "quay.io/aknuds1/realtime-music"
8h 5s 3074 web-73na4 Pod spec.containers{web} Failed {kubelet ip-172-31-29-110.eu-central-1.compute.internal} Failed to pull image "quay.io/aknuds1/realtime-music": image pull failed for quay.io/aknuds1/realtime-music, this may be because there are no credentials on this request. details: (Error: Status 403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission Denied\"}")
如何让复制控制器在下载镜像时使用镜像拉取密钥"quay.io"?复制控制器规范如下所示:
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "web",
"labels": {
"app": "web"
}
},
"spec": {
"replicas": 1,
"selector": {
"app": "web"
},
"template": {
"metadata": {
"labels": {
"app": "web"
}
},
"spec": {
"containers": [
{
"name": "web",
"image": "quay.io/aknuds1/realtime-music",
"ports": [
{
"name": "http-server",
"containerPort": 80
}
]
}
],
"imagePullSecrets": [
{
"name": "quay.io"
}
]
}
}
}
}
编辑
我创建了这样的 quay.io 秘密:~/.local/bin/kubectl --kubeconfig=/etc/kubernetes/kube.conf create -f /tmp/image-pull-secret.yaml。 /tmp/image-pull-secret.yaml的内容基本是这样的:
apiVersion: v1
kind: Secret
metadata:
name: quay.io
data:
.dockercfg: <base64 encoded dockercfg>
type: kubernetes.io/dockercfg
来自 kubectl get pods web-73na4 -o yaml 的输出,以响应 @PaulMorie
apiVersion: v1
kind: Pod
metadata:
annotations:
kubernetes.io/created-by: |
{"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"web","uid":"e1b7a3f0-e349-11e5-a136-02420a022e02","apiVersion":"v1","resourceVersion":"31503"}}
creationTimestamp: 2016-03-06T03:16:56Z
generateName: web-
labels:
app: web
name: web-73na4
namespace: default
resourceVersion: "31516"
selfLink: /api/v1/namespaces/default/pods/web-73na4
uid: e1b89066-e349-11e5-a136-02420a022e02
spec:
containers:
- image: quay.io/aknuds1/realtime-music
imagePullPolicy: IfNotPresent
name: web
ports:
- containerPort: 80
name: http-server
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-5s7kd
readOnly: true
dnsPolicy: ClusterFirst
nodeName: ip-172-31-29-110.eu-central-1.compute.internal
restartPolicy: Always
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
volumes:
- name: default-token-5s7kd
secret:
secretName: default-token-5s7kd
status:
conditions:
- lastProbeTime: null
lastTransitionTime: null
status: "False"
type: Ready
containerStatuses:
- image: quay.io/aknuds1/realtime-music
imageID: ""
lastState: {}
name: web
ready: false
restartCount: 0
state:
waiting:
message: 'image pull failed for quay.io/aknuds1/realtime-music, this may be
because there are no credentials on this request. details: (Error: Status
403 trying to pull repository aknuds1/realtime-music: "{\"error\": \"Permission
Denied\"}")'
reason: PullImageError
hostIP: 172.31.29.110
phase: Pending
podIP: 10.2.2.3
startTime: 2016-03-06T03:16:56Z
更新(这是我使用私有镜像所做的):
首次登录quay.io:
$ docker login quay.io
Username (username):
Password:
WARNING: login credentials saved in /Users/user/.docker/config.json
Login Succeeded
然后我创建了一个新文件 (my-credentials.json),它只包含 docker 添加到 config.json 文件中的 quay.io 凭据(我意识到它除了 quay.io).
之外还有更多凭据$ cat config.json
{
"quay.io": {
"auth": "xxxxxxxxxxxxxxxxxxxxx",
"email": "user@example.com"
}
}
之后,我生成了base64:
$ cat ./my-credentials.json | base64
<base64-value>
我创建了秘密资源:
apiVersion: v1
kind: Secret
metadata:
name: myregistrykey
data:
.dockercfg: <base64-value>
type: kubernetes.io/dockercfg
$ kubectl create -f image-pull-secret.yaml
最后,我创建了 pod:
{
"kind": "ReplicationController",
"apiVersion": "v1",
"metadata": {
"name": "web",
"labels": {
"app": "web"
}
},
"spec": {
"replicas": 1,
"selector": {
"app": "web"
},
"template": {
"metadata": {
"labels": {
"app": "web"
}
},
"spec": {
"containers": [
{
"name": "web",
"image": "quay.io/username/myimage",
"ports": [
{
"name": "http-server",
"containerPort": 80
}
]
}
],
"imagePullSecrets": [
{
"name": "myregistrykey"
}
]
}
}
}
}
$ kubectl create -f pod.yaml
我使用 myregistrykey 作为 imagePullSecrets 的名称而不是 quay.io,但我认为问题不在于此。
问题似乎是因为您没有创建 secret 来保存您的凭据。
请注意 imagePullSecrets 部分中 name 键的值(在您的情况下 "quay.io")应该与您在 secret 资源中指定的值相同.