从 microk8s 连接到 Azure 容器注册表
Connect to Azure container registry from microk8s
我正在尝试从我的 Azure 容器注册表中提取图像
sudo microk8s ctr --debug images pull redacted.azurecr.io/acs/service:2.24.2
但我一直收到此错误:
ctr: failed to resolve reference "redacted.azurecr.io/acs/service:2.24.2": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
这是我的 containerd-template.toml 配置:
version = 2
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io", ]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:32000"]
endpoint = ["http://localhost:32000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."redacted.azurecr.io"]
endpoint = ["https://redacted.azurecr.io"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."redacted.azurecr.io".auth]
username = "redacted"
password = "redacted"
通过将 username:password 添加到终端命令,我可以下载图像,因此我确定用户名和密码是正确的。看起来配置文件中的配置没有被提取(我确实在编辑配置文件后停止了 microk8s 并启动了 microk8s)
sudo microk8s ctr --debug images pull redacted.azurecr.io/acs/service:2.24.2 -u redacted:redacted
请确保在更改containerd-template.toml后重启microk8s。
MicroK8s v1.14 and onwards uses containerd. As described here, users should be aware of the secure registry and the credentials needed to access it. As shown above, configuring containerd involves editing /var/snap/microk8s/current/args/containerd-template.toml and reloading the new configuration via a microk8s stop, microk8s start cycle.
您可以查看以下类似问题:
https://github.com/containerd/cri/issues/1482
https://github.com/ubuntu/microk8s/issues/990
https://github.com/containerd/containerd/issues/4920
最后,我通过添加 docker 密码并修补服务帐户以默认使用 pull 密码解决了这个问题
microk8s kubectl create secret docker-registry acr-token --docker-server=**redacted** --docker-username="**redacted**" --docker-password="**redacted**" --namespace **redacted**
microk8s kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "acr-token"}]}' --namespace **redacted**
我正在尝试从我的 Azure 容器注册表中提取图像
sudo microk8s ctr --debug images pull redacted.azurecr.io/acs/service:2.24.2
但我一直收到此错误:
ctr: failed to resolve reference "redacted.azurecr.io/acs/service:2.24.2": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
这是我的 containerd-template.toml 配置:
version = 2
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io", ]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:32000"]
endpoint = ["http://localhost:32000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."redacted.azurecr.io"]
endpoint = ["https://redacted.azurecr.io"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."redacted.azurecr.io".auth]
username = "redacted"
password = "redacted"
通过将 username:password 添加到终端命令,我可以下载图像,因此我确定用户名和密码是正确的。看起来配置文件中的配置没有被提取(我确实在编辑配置文件后停止了 microk8s 并启动了 microk8s)
sudo microk8s ctr --debug images pull redacted.azurecr.io/acs/service:2.24.2 -u redacted:redacted
请确保在更改containerd-template.toml后重启microk8s。
MicroK8s v1.14 and onwards uses containerd. As described here, users should be aware of the secure registry and the credentials needed to access it. As shown above, configuring containerd involves editing /var/snap/microk8s/current/args/containerd-template.toml and reloading the new configuration via a microk8s stop, microk8s start cycle.
您可以查看以下类似问题:
https://github.com/containerd/cri/issues/1482
https://github.com/ubuntu/microk8s/issues/990
https://github.com/containerd/containerd/issues/4920
最后,我通过添加 docker 密码并修补服务帐户以默认使用 pull 密码解决了这个问题
microk8s kubectl create secret docker-registry acr-token --docker-server=**redacted** --docker-username="**redacted**" --docker-password="**redacted**" --namespace **redacted**
microk8s kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "acr-token"}]}' --namespace **redacted**