K8S 拉取私有倉庫映象

小陈运维發表於2024-11-30

K8S 拉取私有倉庫映象

在使用Kubernetes(k8s)從私有倉庫拉取映象時,會出現無法拉去映象的情況,私有倉庫需要認證才能訪問,如果Kubernetes無法透過認證,就會導致拉取失敗,這時我們就需要手動建立私有倉庫的登入資訊。

省流版

# 建立 secret 
# 【harbor-docker】 自定義名稱
# 【--namespace】 和應用在同一個名稱空間下
# 【--docker-server】 倉庫的地址
# 【--docker-username】 倉庫的使用者名稱
# 【--docker-password】 倉庫的密碼

[root@k8s-master01 ~]# kubectl create secret docker-registry harbor-docker --namespace=default --docker-server=z.oiox.cn:18082 --docker-username=admin --docker-password=123123
secret/harbor-docker created
[root@k8s-master01 ~]# 


# 增加 imagePullSecrets 配置項
----略
    spec:
      containers:
      - image: z.oiox.cn:18082/cby/cby:v1
        imagePullPolicy: IfNotPresent
      imagePullSecrets:
      - name: harbor-docker
----略

完整測試詳細的過程

構建私有倉庫映象

# 編寫 Dockerfile
cat > Dockerfile <<EOF
FROM nginx
RUN echo '這是一個私有倉庫的映象' > /usr/share/nginx/html/index.html
EOF

# 構建映象
docker build -t z.oiox.cn:18082/cby/cby:v1 .

# 登入映象倉庫
docker login  z.oiox.cn:18082

# 推送映象到私有倉庫
docker push z.oiox.cn:18082/cby/cby:v1

使用docker測試

# 未登入進行拉去映象
[root@ik-cby ~]# docker pull z.oiox.cn:18082/cby/cby:v1
Error response from daemon: unauthorized: unauthorized to access repository: cby/cby, action: pull: unauthorized to access repository: cby/cby, action: pull
[root@ik-cby ~]# 

# 登入映象倉庫
[root@ik-cby ~]# docker login  z.oiox.cn:18082
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores

Login Succeeded
[root@ik-cby ~]# 

# 登入之後進行拉去測試
[root@ik-cby ~]# docker pull z.oiox.cn:18082/cby/cby:v1
v1: Pulling from cby/cby
2d429b9e73a6: Pull complete 
20c8b3871098: Pull complete 
06da587a7970: Pull complete 
f7895e95e2d4: Pull complete 
7b25f3e99685: Pull complete 
dffc1412b7c8: Pull complete 
d550bb6d1800: Pull complete 
dad691375a56: Pull complete 
Digest: sha256:0deca38aaf759b58687737a2aa65840958af31d3ec8b41b68225ac2e91852876
Status: Downloaded newer image for z.oiox.cn:18082/cby/cby:v1
z.oiox.cn:18082/cby/cby:v1
[root@ik-cby ~]# 

# 刪除本地映象
[root@ik-cby ~]# docker rmi z.oiox.cn:18082/cby/cby:v1
Untagged: z.oiox.cn:18082/cby/cby:v1
Untagged: z.oiox.cn:18082/cby/cby@sha256:0deca38aaf759b58687737a2aa65840958af31d3ec8b41b68225ac2e91852876
Deleted: sha256:8a398a3beb2e124c2e101af093691210c346d3d574e00195da5cefcb2ca3822b
Deleted: sha256:bd8801f29c0017595dae888d0bf92d8a9e828ae9a0fe7be8c4f46a383a65b982
Deleted: sha256:05f1422637e6596cdaff4a3ea77eea2d06652e9a36a6e85e4c88f4a6783db6cd
Deleted: sha256:aefc0beb891c07f82a5bec1301e3a1bfe8e08f27118313d167a606c2d768285b
Deleted: sha256:8006a840595ef554203de033c3b0291cfcc5ee9f194e8cc52b659f1b564d8efa
Deleted: sha256:15338037da38cef194cbdc29a4a6257ff2d41bd868891edee66714f828f48bd3
Deleted: sha256:13271298fdeb33a352a69704aa4b798b06501d6dd0e5ad4529075b4edbdb7e8f
Deleted: sha256:20e7b0616008dbafb4b049243f1c514a4df65536b02c19fbbb75a5c9f70784e4
Deleted: sha256:c3548211b8264f8bfa47a6727043a64f1791b82ac965a284a7ea187e971a95e2
[root@ik-cby ~]# 

# 退出映象倉庫
[root@ik-cby ~]# docker logout  z.oiox.cn:18082
Removing login credentials for z.oiox.cn:18082
[root@ik-cby ~]# 

# 退出之後進行拉去測試
[root@ik-cby ~]# docker pull z.oiox.cn:18082/cby/cby:v1
Error response from daemon: unauthorized: unauthorized to access repository: cby/cby, action: pull: unauthorized to access repository: cby/cby, action: pull
[root@ik-cby ~]#

使用kubernetes進行拉去私有映象

# 編寫基礎的測試樣例
cat > cby.yaml <<EOF
apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  type: NodePort
  selector:
    app: nginx
  ports:
  - port: 80
    targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: z.oiox.cn:18082/cby/cby:v1
        ports:
        - containerPort: 80
          name: web
EOF

測試部署

# 執行部署應用
[root@k8s-master01 ~]# kubectl apply -f cby.yaml 
service/nginx created
deployment.apps/web created
[root@k8s-master01 ~]# 

# 檢視pod已經報錯拉去不到映象
[root@k8s-master01 ~]# kubectl get pod 
NAME                            READY   STATUS         RESTARTS        AGE
busybox                         1/1     Running        311 (21m ago)   13d
hello-server-588d6f5cd6-24ttg   1/1     Running        3 (9d ago)      63d
hello-server-588d6f5cd6-kxv45   1/1     Running        4 (9d ago)      63d
nginx-demo-cccbdc67f-6nkgd      1/1     Running        3 (9d ago)      63d
nginx-demo-cccbdc67f-h9p8d      1/1     Running        3 (9d ago)      63d
web-0                           1/1     Running        1 (9d ago)      13d
web-1                           1/1     Running        1 (9d ago)      13d
web-586946798b-n6dpg            0/1     ErrImagePull   0               7s
[root@k8s-master01 ~]# 

# 檢視svc資訊
[root@k8s-master01 ~]# kubectl get svc
NAME           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
hello-server   ClusterIP   10.103.104.242   <none>        8000/TCP       63d
kubernetes     ClusterIP   10.96.0.1        <none>        443/TCP        68d
nginx          NodePort    10.111.106.93    <none>        80:30565/TCP   12s
nginx-demo     ClusterIP   10.107.132.57    <none>        8000/TCP       63d
[root@k8s-master01 ~]# 
[root@k8s-master01 ~]#

檢視POD的詳細資訊

[root@k8s-master01 ~]# kubectl describe pod web-586946798b-n6dpg 
Name:             web-586946798b-n6dpg
Namespace:        default
Priority:         0
Service Account:  default
Node:             k8s-node01/192.168.1.34
Start Time:       Sat, 30 Nov 2024 12:26:52 +0800
Labels:           app=nginx
                  pod-template-hash=586946798b
Annotations:      <none>
Status:           Pending
IP:               10.0.3.104
IPs:
  IP:           10.0.3.104
Controlled By:  ReplicaSet/web-586946798b
Containers:
  nginx:
    Container ID:   
    Image:          z.oiox.cn:18082/cby/cby:v1
    Image ID:     
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Waiting
      Reason:       ErrImagePull
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-p7x5k (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  kube-api-access-p7x5k:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  51s                default-scheduler  Successfully assigned default/web-586946798b-n6dpg to k8s-node01
  Normal   Pulling    12s (x3 over 50s)  kubelet            Pulling image "z.oiox.cn:18082/cby/cby:v1"
  Warning  Failed     12s (x3 over 50s)  kubelet            Failed to pull image "z.oiox.cn:18082/cby/cby:v1": Error response from daemon: unauthorized: unauthorized to access repository: cby/cby, action: pull: unauthorized to access repository: cby/cby, action: pull
  Warning  Failed     12s (x3 over 50s)  kubelet            Error: ErrImagePull
  Normal   BackOff    1s (x3 over 50s)   kubelet            Back-off pulling image "z.oiox.cn:18082/cby/cby:v1"
  Warning  Failed     1s (x3 over 50s)   kubelet            Error: ImagePullBackOff
[root@k8s-master01 ~]#

給叢集配置密碼資訊

# 建立 secret 
# 【harbor-docker】 自定義名稱
# 【--namespace】 和應用在同一個名稱空間下
# 【--docker-server】 倉庫的地址
# 【--docker-username】 倉庫的使用者名稱
# 【--docker-password】 倉庫的密碼

[root@k8s-master01 ~]# kubectl create secret docker-registry harbor-docker --namespace=default --docker-server=z.oiox.cn:18082 --docker-username=admin --docker-password=123123
secret/harbor-docker created
[root@k8s-master01 ~]# 

# 檢視 secret 詳細資訊
[root@k8s-master01 ~]# kubectl get secret
NAME            TYPE                             DATA   AGE
harbor-docker   kubernetes.io/dockerconfigjson   1      7s
[root@k8s-master01 ~]# 

# 使用yaml的格式顯示
[root@k8s-master01 ~]# kubectl describe secret harbor-docker 
Name:         harbor-docker
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  102 bytes
[root@k8s-master01 ~]#

[root@k8s-master01 ~]# kubectl get secret harbor-docker -o yaml
apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJ6Lm9pb3guY246MTgwODIiOnsidXNlcm5hbWUiOiJhZG1pbiIsInBhc3N3b3JkIjoiQ2J5MTIzLi4iLCJhdXRoIjoiWVdSdGFXNDZRMko1TVRJekxpND0ifX19
kind: Secret
metadata:
  creationTimestamp: "2024-11-30T04:33:22Z"
  name: harbor-docker
  namespace: default
  resourceVersion: "5235056"
  uid: 03adf25f-3c1d-4942-bd1f-bb3c24b84608
type: kubernetes.io/dockerconfigjson
[root@k8s-master01 ~]#

更新服務yaml檔案,新增引用建立的秘鑰

# 檢視依舊未成功拉去映象
[root@k8s-master01 ~]# kubectl get pod 
NAME                            READY   STATUS             RESTARTS        AGE
busybox                         1/1     Running            311 (32m ago)   13d
hello-server-588d6f5cd6-24ttg   1/1     Running            3 (9d ago)      63d
hello-server-588d6f5cd6-kxv45   1/1     Running            4 (9d ago)      63d
nginx-demo-cccbdc67f-6nkgd      1/1     Running            3 (9d ago)      63d
nginx-demo-cccbdc67f-h9p8d      1/1     Running            3 (9d ago)      63d
web-0                           1/1     Running            1 (9d ago)      13d
web-1                           1/1     Running            1 (9d ago)      13d
web-586946798b-n6dpg            0/1     ImagePullBackOff   0               10m
[root@k8s-master01 ~]# 

# 增加 imagePullSecrets 配置項
----略
    spec:
      containers:
      - image: z.oiox.cn:18082/cby/cby:v1
        imagePullPolicy: IfNotPresent
      imagePullSecrets:
      - name: harbor-docker
----略

# 修改編輯 deployments 
[root@k8s-master01 ~]# kubectl edit deployments.apps web 
deployment.apps/web edited
[root@k8s-master01 ~]# 

# 檢視完整的配置
[root@k8s-master01 ~]# kubectl get deployments.apps web -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "2"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"web","namespace":"default"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"z.oiox.cn:18082/cby/cby:v1","name":"nginx","ports":[{"containerPort":80,"name":"web"}]}]}}}}
  creationTimestamp: "2024-11-30T04:26:52Z"
  generation: 2
  name: web
  namespace: default
  resourceVersion: "5236110"
  uid: c6225e80-5526-4dd9-8642-358bf186a79e
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: nginx
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - image: z.oiox.cn:18082/cby/cby:v1
        imagePullPolicy: IfNotPresent
        name: nginx
        ports:
        - containerPort: 80
          name: web
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: harbor-docker
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2024-11-30T04:38:40Z"
    lastUpdateTime: "2024-11-30T04:38:40Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2024-11-30T04:38:36Z"
    lastUpdateTime: "2024-11-30T04:38:40Z"
    message: ReplicaSet "web-5bcf459779" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 2
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1
[root@k8s-master01 ~]#

檢視是否已成功啟動容器

[root@k8s-master01 ~]# kubectl get pod 
NAME                            READY   STATUS    RESTARTS        AGE
busybox                         1/1     Running   311 (33m ago)   13d
hello-server-588d6f5cd6-24ttg   1/1     Running   3 (9d ago)      63d
hello-server-588d6f5cd6-kxv45   1/1     Running   4 (9d ago)      63d
nginx-demo-cccbdc67f-6nkgd      1/1     Running   3 (9d ago)      63d
nginx-demo-cccbdc67f-h9p8d      1/1     Running   3 (9d ago)      63d
web-0                           1/1     Running   1 (9d ago)      13d
web-1                           1/1     Running   1 (9d ago)      13d
web-5bcf459779-pdbgm            1/1     Running   0               16s
[root@k8s-master01 ~]#

檢視詳細資訊

[root@k8s-master01 ~]# kubectl describe po web-5bcf459779-pdbgm 
Name:             web-5bcf459779-pdbgm
Namespace:        default
Priority:         0
Service Account:  default
Node:             k8s-node02/192.168.1.35
Start Time:       Sat, 30 Nov 2024 12:38:36 +0800
Labels:           app=nginx
                  pod-template-hash=5bcf459779
Annotations:      <none>
Status:           Running
IP:               10.0.0.14
IPs:
  IP:           10.0.0.14
Controlled By:  ReplicaSet/web-5bcf459779
Containers:
  nginx:
    Container ID:   docker://fc107b489899b85f388db93eb4003e887df0107f13937471364f442fcf8a35d9
    Image:          z.oiox.cn:18082/cby/cby:v1
    Image ID:       docker-pullable://z.oiox.cn:18082/cby/cby@sha256:0deca38aaf759b58687737a2aa65840958af31d3ec8b41b68225ac2e91852876
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Sat, 30 Nov 2024 12:38:39 +0800
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-46c5x (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       True 
  ContainersReady             True 
  PodScheduled                True 
Volumes:
  kube-api-access-46c5x:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  33s   default-scheduler  Successfully assigned default/web-5bcf459779-pdbgm to k8s-node02
  Normal  Pulling    32s   kubelet            Pulling image "z.oiox.cn:18082/cby/cby:v1"
  Normal  Pulled     31s   kubelet            Successfully pulled image "z.oiox.cn:18082/cby/cby:v1" in 1.538s (1.538s including waiting). Image size: 191717134 bytes.
  Normal  Created    30s   kubelet            Created container nginx
  Normal  Started    30s   kubelet            Started container nginx
[root@k8s-master01 ~]#

測試訪問

[root@k8s-master01 ~]# kubectl get svc
NAME           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
hello-server   ClusterIP   10.103.104.242   <none>        8000/TCP       63d
kubernetes     ClusterIP   10.96.0.1        <none>        443/TCP        68d
nginx          NodePort    10.111.106.93    <none>        80:30565/TCP   17m
nginx-demo     ClusterIP   10.107.132.57    <none>        8000/TCP       63d
[root@k8s-master01 ~]# 

# 看到訪問正常,已經可以訪問剛才構建好的映象
[root@k8s-master01 ~]# curl 10.111.106.93
這是一個私有倉庫的映象
[root@k8s-master01 ~]# 
[root@k8s-master01 ~]# 
[root@k8s-master01 ~]# curl 192.168.1.31:30565
這是一個私有倉庫的映象
[root@k8s-master01 ~]# 
[root@k8s-master01 ~]#

關於

https://www.oiox.cn/

https://www.oiox.cn/index.php/start-page.html

CSDN、GitHub、51CTO、知乎、開源中國、思否、掘金、簡書、華為雲、阿里雲、騰訊雲、嗶哩嗶哩、今日頭條、新浪微博、個人部落格

全網可搜《小陳運維》

文章主要釋出於微信公眾號

相關文章