我已经部署了一个侦听192.168.xx.xx:5000
的本地注册表。
在/etc/hosts
中我添加了:
192.168.xx.xx my.local.registry
和使用sudo vim /etc/docker/daemon.json
我添加了:
{" insecure_registres":["my.local.registry:5000"]}
然后我用:
sudo docker tag hello-world my.local.registry:5000/hello-world
sudo docker push my.local.registry:5000/hello-world
一切正常。在https://my.local.registry:5000/v2/_catalog
中,我能够看到推送的图像:
{"repositories"["hello-world"}
在下一步中,我想创建一个pod,也就是一个能够从本地注册表下载映像的Deployment。例子:
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry-test
labels:
app: registry-test
spec:
replicas: 1
selector:
matchLabels:
app: registry-test
template:
metadata:
labels:
app: registry-test
spec:
containers:
- name: registry-test
image: my.local.registry:5000/hello-world
我已经生成了我自己的证书使用:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ./certs/tls.key -x509 -days 365 -subj "/C=GR/ST=./L=./O=./CN=my.local.registry" -addext "subjectAltName = DNS:my.local.registry" -out ./certs/tls.crt
,然后我创建了一个文件夹sudo mkdir -p /etc/docker/certs.d/my.local.registry:5000
,我把新创建的证书使用sudo scp certs/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt
然后我添加了sudo cp certs/tls.crt /usr/local/share/ca-certificates/ca.crt
,最后我执行:
sudo update-ca-certificates
sudo service docker restart
sudo systemctl restart containerd
然而,当我使用kubectl apply -f mytestDeployment.yaml
应用部署时,我得到
提取图像失败"my.local.registry:5000:5000/hello-world": rpc错误:code =未知desc =未能提取和解包图像my.local.registry:5000:5000/hello-world:latest":无法解析参考"my.local.registry:5000:5000/hello-world:latest": failed to请求:头部"https://my.local.registry 5000:5000/v2/hello world/表现/latest":X509:由未知权威机构签署的证书(可能是因为crypto/rsa:验证错误;在试图验证候选人时授权证书"my.local.registry:5000">
关于这个问题有很多答案,但是我无法解决这个问题。有人知道我遗漏了什么吗?
我也在使用DeamonSet:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: registry-ca
namespace: ches
labels:
k8s-app: registry-ca
spec:
selector:
matchLabels:
name: registry-ca
template:
metadata:
labels:
name: registry-ca
spec:
containers:
- name: registry-ca-docker
image: busybox
command: [ 'sh' ]
args: [ '-c', 'mkdir /etc/docker/certs.d/my.local.registry:5000 && cp /home/core/tls.crt /etc/docker/certs.d/my.local.registry:5000/ca.crt && exec tail -f /dev/null' ]
volumeMounts:
- name: etc-docker
mountPath: /etc/docker/certs.d
- name: ca-cert
mountPath: /home/core
- name: registry-ca-containerd
image: busybox
command: [ 'sh' ]
args: [ '-c', 'cat /home/core/tls.crt > /home/core-containerd/ca.crt && exec tail -f /dev/null']
volumeMounts:
- name: ca-cert
mountPath: /home/core
- name: etc-containerd
mountPath: /home/core-containerd
terminationGracePeriodSeconds: 30
volumes:
- name: etc-docker
hostPath:
path: /etc/docker/certs.d
- name: ca-cert
secret:
secretName: ches-registry-secret
- name: etc-containerd
hostPath:
path: /usr/local/share/ca-certificates
但是错误仍然存在。
实际上你做了一切正确的设置你的私人注册表。然而,Kubernetes不允许从不安全的私有注册表中提取图像(是的,自签名证书仍然被认为是"不安全的")。
恐怕你必须告诉每个Kubernetes节点,你的my.local.registry
要么是一个不安全的注册表,要么把证书文件放在每个节点上(如Priyanka回答的第二个链接所述)。
另一种选择可能是使用letsencrypt创建证书,因此它由已知的证书颁发机构签名,因此是"安全的"。但这限制了自定义域名的使用。