K3S:如何通过 hub.docker.com 验证太拉私人图像?
K3S: How to authenticate with hub.docker.com too pull private images?
我有一个带有 K3s 的 Kubernetes 集群设置,我想从位于 hub.docker.com 的注册表中提取。这在尝试提取 public 图像时没有问题,但是当我尝试从 hub.docker.com 中提取私有图像时。它找不到它们。
我已经尝试使用我的 Docker 登录信息(参见 here)创建一个秘密 regcred,并使用 imagePullSecrets 添加它。但这似乎行不通。
如何让我的 K3s 集群通过 hub.docker.com 的私有部分进行身份验证,从而允许我在 Deployment 中拉取私有镜像?
谢谢
这是我的完整清单:
apiVersion: v1
kind: Namespace
metadata:
name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
namespace: example
spec:
replicas: 2
selector:
matchLabels:
app: example
template:
metadata:
labels:
app: example
spec:
containers:
- name: example
image: example/example:latest
ports:
- containerPort: 80
imagePullPolicy: Always
imagePullSecrets:
- name: regcred
---
apiVersion: v1
kind: Service
metadata:
name: example
namespace: example
spec:
ports:
- port: 80
targetPort: 80
name: tcp
selector:
app: example
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: example
annotations:
kubernetes.io/ingress.class: "traefik"
kubernetes.io/tls-acme: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/ssl-temporary-redirect: "true"
ingress.kubernetes.io/ssl-host: "example.com"
traefik.frontend.rule.type: PathPrefixStrip
traefik.ingress.kubernetes.io/redirect-regex: "^https://example.com(.*)"
traefik.ingress.kubernetes.io/redirect-replacement: "https://www.example.com/"
spec:
rules:
- host: "example.com"
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: example
port:
number: 80
- host: "www.example.com"
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: example
port:
number: 80
Regcred 看起来像这样:
{"auths":{"https://index.docker.io/v1/":{"username":"example","password":"secret","email":"test@example.com","auth":"dm...g5"}}}%
广告连播状态:
NAME READY STATUS RESTARTS AGE
example-688b97d5d7-q9ngl 0/1 ImagePullBackOff 0 101s
当 运行 命令 kubectl describe pod example-688b97d5d7-q9ngl 给我:
Failed to pull image "example/example:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/example/example:latest": failed to resolve reference "docker.io/example/example:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
感谢大家的帮助。问题是我没有为特定命名空间创建 regcred 秘密。当我这样做时,一切都立即起作用了。
我有一个带有 K3s 的 Kubernetes 集群设置,我想从位于 hub.docker.com 的注册表中提取。这在尝试提取 public 图像时没有问题,但是当我尝试从 hub.docker.com 中提取私有图像时。它找不到它们。
我已经尝试使用我的 Docker 登录信息(参见 here)创建一个秘密 regcred,并使用 imagePullSecrets 添加它。但这似乎行不通。
如何让我的 K3s 集群通过 hub.docker.com 的私有部分进行身份验证,从而允许我在 Deployment 中拉取私有镜像?
谢谢
这是我的完整清单:
apiVersion: v1
kind: Namespace
metadata:
name: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
namespace: example
spec:
replicas: 2
selector:
matchLabels:
app: example
template:
metadata:
labels:
app: example
spec:
containers:
- name: example
image: example/example:latest
ports:
- containerPort: 80
imagePullPolicy: Always
imagePullSecrets:
- name: regcred
---
apiVersion: v1
kind: Service
metadata:
name: example
namespace: example
spec:
ports:
- port: 80
targetPort: 80
name: tcp
selector:
app: example
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: example
annotations:
kubernetes.io/ingress.class: "traefik"
kubernetes.io/tls-acme: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/ssl-temporary-redirect: "true"
ingress.kubernetes.io/ssl-host: "example.com"
traefik.frontend.rule.type: PathPrefixStrip
traefik.ingress.kubernetes.io/redirect-regex: "^https://example.com(.*)"
traefik.ingress.kubernetes.io/redirect-replacement: "https://www.example.com/"
spec:
rules:
- host: "example.com"
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: example
port:
number: 80
- host: "www.example.com"
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: example
port:
number: 80
Regcred 看起来像这样:
{"auths":{"https://index.docker.io/v1/":{"username":"example","password":"secret","email":"test@example.com","auth":"dm...g5"}}}%
广告连播状态:
NAME READY STATUS RESTARTS AGE
example-688b97d5d7-q9ngl 0/1 ImagePullBackOff 0 101s
当 运行 命令 kubectl describe pod example-688b97d5d7-q9ngl 给我:
Failed to pull image "example/example:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/example/example:latest": failed to resolve reference "docker.io/example/example:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
感谢大家的帮助。问题是我没有为特定命名空间创建 regcred 秘密。当我这样做时,一切都立即起作用了。