K8S 使用秘钥拉取私服镜像

需求分析

开始k8s node节点比较少的时候都是使用docker login的方式直接登录habor进行镜像拉取，随着集群规模逐渐增加，并且存在高峰期需要临时扩容一部分node的需求，手动login比较耗费时间

解决方案

# docker login harbor.com

Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
# cat ~/.docker/config.json
{
        "auths": {
                "harbor.com": {
                        "auth": "YWC12x6YWRtaW4xMjM="
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.4 (linux)"
        }


# 在k8s集群中创建secret
# kubectl create secret generic harbor \
    --from-file=.dockerconfigjson= ~/.docker/config.json \
    --type=kubernetes.io/dockerconfigjson
# 或者直接基于命令创建
kubectl create secret docker-registry harbor --docker-server= --docker-username= --docker-password= --docker-email=

# 查看创建的secret
kubectl get secret harbor

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-demo
spec:
  restartPolicy: Never
  containers:
  - name: u-demo
    image: 192.168.124.43:8002/ubuntu
    imagePullPolicy: IfNotPresent
    command: ["printenv"]
    args: ["HOSTNAME"]
  imagePullSecrets:
  #指定私服秘钥名
  - name: harbor

在应用中使用秘钥拉取镜像

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-demo
spec:
  restartPolicy: Never
  containers:
  - name: u-demo
    image: harbor.com/nginx:1.4.1
    imagePullPolicy: IfNotPresent
  imagePullSecrets:
  - name: regcred