镜像仓库中的秘钥管理
1 生成密钥
在使用私有镜像拉取镜像时,需要为私有镜像仓库创建一个镜像仓库的密钥,并在创建容器中进行引用。创建镜像仓库的语法和格式:
kubectl create secret docker–registry <regsecret-name> —docker–server=<your–registry–server> —docker–username=<your–name> —docker–password=<your–pword> —docker–email=<your–email><regsecret-name>:所创建的私有镜像仓库密钥的名称;
<your-registry-server>:为镜像仓库的服务器地址;
<your-name>:登录镜像仓库的用户名;
<your-pword>:登录镜像仓库的密码;
<your-email>:用户的邮箱地址。假设登录私有镜像仓库的用户命名为admin、密码为admin、邮箱地址为admin@meng.com。则可以通过执行下面的命令创建私有镜像仓库的密钥:
$ kubectl create secret docker-registry myregsecret --docker-server=192.168.10.12:8484 \ --docker-username=admin --docker-password=admin --docker-email=admin@meng.com
使用 Apache 的 htpasswd 来创建加密文件
# yum install -y httpd-tools
# htpasswd -Bbn admin admin > /data/docker-auth/htpasswd
#启动
docker run -p 8484:5000 \
--restart=always \
--name registry \
-v /data/registry:/var/lib/registry \
-v /data/auth/:/auth/ \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-d registry
#/etc/docker/daemon.json
{
"exec-opts":["native.cgroupdriver=systemd"],
"registry-mirrors":["https://mirror.aliyuncs.com"],
"insecure-registries":["192.168.10.12:8484"]
}
#重启docker
systemctl daemon-reload
systemctl restart docker
登录 Docker Registry
登录可以是免交互式,也可以是交互式的
docker login -u 用户名 -p 密码 ip:端口 # 一般不建议使用明文密码
docker login -u 用户名 -p ip:端口 # 不输入密码,回车后,使用交互式输入密码(输入的密码不会显示)
docker login ip:端口 # 不输入密码和用户名,回车后,使用交互式输入用户名和密码(输入的密码不会显示)
登录
docker login 192.168.10.12:8484
admin
admin
[root@master01 data]# docker login 192.168.10.12:8484
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
登出
docker logout 192.168.10.12:8484
[root@master01 data]# docker logout 192.168.10.12:8484
Removing login credentials for 192.168.10.12:8484
测试镜像
docker pull nginx
docker tag nginx:latest 192.168.10.12:8484/nginx:v1.0.0
[root@master01 data]# docker pull 192.168.10.12:8484/nginx:v1.0.0
Error response from daemon: Head "http://192.168.10.12:8484/v2/nginx/manifests/v1.0.0": no basic auth credentials
docker push 192.168.10.12:8484/nginx:v1.0.0
#去除污点
kubectl taint nodes master01 node-role.kubernetes.io/master
#删除本地镜像
docker rmi 192.168.10.12:8484/nginx:v1.0.0
#nginx.yaml文件
[root@master01 registry]# cat nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-nginx-v1
spec:
replicas: 1
selector:
matchLabels:
app: svc-nginx-30083
template:
metadata:
labels:
app: svc-nginx-30083
spec:
containers:
- name: svc-nginx-v1
image: 192.168.10.12:8484/nginx:v1.0.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80#创建nginx
[root@master01 registry]# kubectl create -f nginx.yaml
deployment.apps/deploy-nginx-v1 created
#查询状态
[root@master01 registry]# kubectl get pods
NAME READY STATUS RESTARTS AGE
deploy-nginx-v1-85979f6644-jnxnb 0/1 ImagePullBackOff 0 44s
[root@master01 registry]# kubectl describe pods deploy-nginx-v1-85979f6644-jnxnb
Normal Pulling 20s (x3 over 57s) kubelet Pulling image "192.168.10.12:8484/nginx:v1.0.0"
Warning Failed 20s (x3 over 57s) kubelet Failed to pull image "192.168.10.12:8484/nginx:v1.0.0": rpc error: code = Unknown desc = Error response from daemon: Head "http://192.168.10.12:8484/v2/nginx/manifests/v1.0.0": no basic auth credentials
Warning Failed 20s (x3 over 57s) kubelet Error: ErrImagePull
Normal BackOff 7s (x4 over 57s) kubelet Back-off pulling image "192.168.10.12:8484/nginx:v1.0.0"
Warning Failed 7s (x4 over 57s) kubelet Error: ImagePullBackOff
#修复
1.本机登录镜像仓库
2.拉取镜像时增加secret
创建secret
kubectl create secret docker-registry registry-10.12 --docker-server=192.168.10.12:8484 --docker-username=admin --docker-password=admin
查看secret
[root@master01 registry]# kubectl get secret
NAME TYPE DATA AGE
default-token-bmtqm kubernetes.io/service-account-token 3 26h
registry-10.12 kubernetes.io/dockerconfigjson 1 10s
#查看详情
kubectl describe secret registry-10.12
kubectl get secret registry-10.12 -o yaml
#修改nginx.yaml文件,增加参数
imagePullSecrets:
- name: registry-10.12
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-nginx-v1
spec:
replicas: 1
selector:
matchLabels:
app: svc-nginx-30083
template:
metadata:
labels:
app: svc-nginx-30083
spec:
containers:
- name: svc-nginx-v1
image: 192.168.10.12:8484/nginx:v1.0.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
imagePullSecrets:
- name: registry-10.12#应用更新
kubectl apply -f nginx.yaml
#
[root@master01 registry]# kubectl get secret
NAME TYPE DATA AGE
default-token-bmtqm kubernetes.io/service-account-token 3 26h
registry-10.12 kubernetes.io/dockerconfigjson 1 21m
[root@master01 registry]# kubectl delete secret registry-10.12
secret "registry-10.12" deleted
[root@master01 registry]# kubectl get secret
NAME TYPE DATA AGE
default-token-bmtqm kubernetes.io/service-account-token 3 26h
[root@master01 registry]# ls
nginx.yaml
[root@master01 registry]# kubectl delete -f nginx.yaml
deployment.apps "deploy-nginx-v1" deleted
[root@master01 registry]# ls
nginx.yaml
[root@master01 registry]# kubectl get pods
No resources found in default namespace.
[root@master01 registry]# kubectl create secret docker-registry registry-10.12 --docker-server=192.168.10.12:8484 --docker-username=admin --docker-password=admin
secret/registry-10.12 created
[root@master01 registry]# kubectl get secret
NAME TYPE DATA AGE
default-token-bmtqm kubernetes.io/service-account-token 3 26h
registry-10.12 kubernetes.io/dockerconfigjson 1 8s
[root@master01 registry]# kubectl apply -f nginx.yaml
deployment.apps/deploy-nginx-v1 created
[root@master01 registry]# kubectl get pods
NAME READY STATUS RESTARTS AGE
deploy-nginx-v1-56447d94c6-5n2z6 1/1 Running 0 2s
