kubernetes拉取私有仓库镜像

Docker私有仓库

在介绍k8s拉取私有仓库之前,需要配置docker拉取私有仓库。
默认docker拉取私有仓库是使用https协议,如果需要使用http,需要进行以下配置。
编辑/etc/docker/daemon.json,添加内容:

{
  "insecure-registries" : ["registry.xxxx.com"]
}

重启docker,然后通过以下操作拉取私有仓库镜像:

docker login registry.xxxx.com
docker pull registry.xxxx.com/xxx/xx:xxx

K8s私有仓库

配置好docker后,这里继续介绍k8s通过secret配置来拉取私有仓库镜像。
如果不进行设置的话,创建RC拉取镜像时就会提示找不到镜像,报以下错误:

Events:
  FirstSeen     LastSeen        Count   From                    SubObjectPath           Type            Reason          Message
  ---------     --------        -----   ----                    -------------           --------        ------          -------
  49s           49s             1       {default-scheduler }                            Normal          Scheduled       Successfully assigned webapp-xq03t to master
  48s           11s             3       {kubelet master}        spec.containers{webapp} Normal          Pulling         pulling image "e5:8889/tomcat"
  48s           11s             3       {kubelet master}        spec.containers{webapp} Warning         Failed          Failed to pull image "e5:8889/tomcat": Error: image tomcat:latest not found
  48s           11s             3       {kubelet master}                                Warning         FailedSync      Error syncing pod, skipping: failed to "StartContainer" for "webapp" with ErrImagePull: "Error: image tomcat:latest not found"

  47s   0s      3       {kubelet master}        spec.containers{webapp} Normal  BackOff         Back-off pulling image "e5:8889/tomcat"
  47s   0s      3       {kubelet master}                                Warning FailedSync      Error syncing pod, skipping: failed to "StartContainer" for "webapp" with ImagePullBackOff: "Back-off pulling image \"e5:8889/tomcat\""

创建secret

kubectl create secret docker-registry registrysecret --docker-server=e5:8889  --docker-username=admin --docker-password=xxxx --docker-email=lusyoe@163.com 

RC中使用secret

apiVersion: v1
kind: ReplicationController
metadata:
  name: webapp
spec:
  replicas: 2
  template:
    metadata:
      name: webapp
      labels:
        app: webapp
    spec:
      containers:
      - name: webapp
        imagePullPolicy: Always
        image: e5:8889/tomcat:latest
        ports:
          - containerPort: 80
      imagePullSecrets:
      - name: registrysecret

关键就在于imagePullSecrets

如果仅仅是这样的话,每次编写yaml脚本都需要添加这2行配置也太麻烦了。
我们需要使其默认就自动可以从私有仓库中下载还需要几步。

配置默认规则

将该密钥设置到k8s的默认账号中:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registrysecret"}]}'

查看默认账号配置:
kubectl get serviceaccounts default -o yaml

看看默认账户的详细配置:

apiVersion: v1
imagePullSecrets:
- name: registrysecret
kind: ServiceAccount
metadata:
  creationTimestamp: 2018-03-11T15:28:06Z
  name: default
  namespace: default
  resourceVersion: "997965"
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: cc20a274-2540-11e8-8755-3497f600e8ed
secrets:
- name: default-token-5qvkp

我们发现已经添加了imagePullSecrets,这样我们后续就不用在每个yaml脚本中都添加这个配置啦,自动会加上去的。
不同的namespace命名空间secret是隔离的,这里只演示了default命名空间。

PS:需要注意这里必须要激活ServiceAccount,否则会报错。

参看:解决k8s创建pod报错No API token found for service account “default”, retry after the token is automatically

你可能感兴趣的:(k8s)