Kubernetes 私有仓库拉取镜像的配置简介
1.安装配置私有仓库
参考Docker Harbor 1.9.0-rc1镜像仓库安装-http访问
2.在节点上通过docker 登陆私有镜像仓库
[root@m7-autocv-gpu01 java-demo]# docker login 10.10.100.36 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
此时会在家目录下产生隐藏目录中.docker/config.json文件
[root@m7-autocv-gpu01 ~]# pwd /root [root@m7-autocv-gpu01 ~]# cat .docker/config.json { "auths": { "10.10.100.36": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/18.09.0 (linux)" }
对config.json文件进行编码
[root@m7-autocv-gpu01 ~]# base64 -w 0 .docker/config.json ewoJImF1dGhzIjogewoJCSIxMC4xMC4xMDAuMzYiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuMCAobGludXgpIgoJfQp9
将编码产生的字符串复制到secret的yaml配置文件的.dockerconfigjson字段后面
[root@m7-autocv-gpu01 java-demo]# cat registry-pull-secret.yaml apiVersion: v1 kind: Secret metadata: name: registry-pull-secret namespace: test data: .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxMC4xMC4xMDAuMzYiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuMCAobGludXgpIgoJfQp9 ###该字段为./docker/config.json文件的编码字符串 type: kubernetes.io/dockerconfigjson
将配置私有仓库的secret的yaml生成secret
[root@m7-autocv-gpu01 java-demo]# kubectl create -f registry-pull-secret.yaml secret/registry-pull-secret created 查看secret [root@m7-autocv-gpu01 java-demo]# kubectl get secret -n test NAME TYPE DATA AGE registry-pull-secret kubernetes.io/dockerconfigjson 1 9s
在部署项目的pod的deployment的yaml文件中配置secret
示例:
spec: imagePullSecrets: - name: registry-pull-secret ###配置secret 名字里面写有私有仓库的登陆地址及认证 containers: - name: tomcat image: 10.10.100.36/project/tomcat-java-demo:latest imagePullPolicy: Always
例子:
[root@m7-autocv-gpu01 java-demo]# cat deployment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: name: tomcat-java-demo namespace: test spec: replicas: 3 selector: matchLabels: project: www app: java-demo template: metadata: labels: project: www app: java-demo spec: imagePullSecrets: - name: registry-pull-secret ###配有私有仓库的登陆认证secret名称 containers: - name: tomcat image: 10.10.100.36/project/tomcat-java-demo:latest imagePullPolicy: Always ports: - containerPort: 8080 name: web protocol: TCP resources: requests: cpu: 0.5 memory: 0.5Gi limits: cpu: 1 memory: 1Gi livenessProbe: httpGet: path: / port: 8080 initialDelaySeconds: 60 timeoutSeconds: 20 readinessProbe: httpGet: path: / port: 8080 initialDelaySeconds: 60 timeoutSeconds: 20
此时创建pod时,将会从私有仓库拉取镜像
[root@m7-autocv-gpu01 java-demo]# kubectl apply -f deployment.yaml deployment.apps/tomcat-java-demo configured 查看pod状态 [root@m7-autocv-gpu01 java-demo]# kubectl get pods -n test NAME READY STATUS RESTARTS AGE tomcat-java-demo-67557c8f59-hqkx6 0/1 ImagePullBackOff 0 21m tomcat-java-demo-7f596f44bb-277jh 0/1 Running 0 43s tomcat-java-demo-7f596f44bb-2r22m 1/1 Running 0 109s tomcat-java-demo-7f596f44bb-mf62q 1/1 Running 0 3m1s
查看生成pod 的详细信息,确认是否从私有镜像库拉取的镜像
[root@m7-autocv-gpu01 java-demo]# kubectl get pods -n test NAME READY STATUS RESTARTS AGE tomcat-java-demo-7f596f44bb-277jh 1/1 Running 0 14m tomcat-java-demo-7f596f44bb-2r22m 1/1 Running 0 15m tomcat-java-demo-7f596f44bb-mf62q 1/1 Running 0 16m [root@m7-autocv-gpu01 java-demo]# kubectl describe pod tomcat-java-demo-7f596f44bb-277jh -n test Name: tomcat-java-demo-7f596f44bb-277jh Namespace: test Priority: 0 PriorityClassName: <none> Node: m7-autocv-gpu03/10.10.100.19 Start Time: Thu, 14 Nov 2019 11:33:01 +0800 Labels: app=java-demo pod-template-hash=7f596f44bb project=www Annotations: <none> Status: Running IP: 172.30.32.11 Controlled By: ReplicaSet/tomcat-java-demo-7f596f44bb Containers: tomcat: Container ID: docker://7a9397fe565d65984befb8d541176c7d6006228cf0328b8da9cedb579431cdec Image: 10.10.100.36/project/tomcat-java-demo:latest Image ID: docker-pullable://10.10.100.36/project/tomcat-java-demo@sha256:af6bc2242e6acad0e85218e8c7088c9e9aedaeaf6b70a21ddb5fea7cd0043b4e Port: 8080/TCP Host Port: 0/TCP State: Running Started: Thu, 14 Nov 2019 11:33:07 +0800 Ready: True Restart Count: 0 Limits: cpu: 1 memory: 1Gi Requests: cpu: 500m memory: 512Mi Liveness: http-get http://:8080/ delay=60s timeout=20s period=10s #success=1 #failure=3 Readiness: http-get http://:8080/ delay=60s timeout=20s period=10s #success=1 #failure=3 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-gndgn (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: default-token-gndgn: Type: Secret (a volume populated by a Secret) SecretName: default-token-gndgn Optional: false QoS Class: Burstable Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 14m default-scheduler Successfully assigned test/tomcat-java-demo-7f596f44bb-277jh to m7-autocv-gpu03 Normal Pulling 14m kubelet, m7-autocv-gpu03 Pulling image "10.10.100.36/project/tomcat-java-demo:latest" ###从私有镜像库拉取的镜像 Normal Pulled 14m kubelet, m7-autocv-gpu03 Successfully pulled image "10.10.100.36/project/tomcat-java-demo:latest" Normal Created 14m kubelet, m7-autocv-gpu03 Created container tomcat Normal Started 14m kubelet, m7-autocv-gpu03 Started container tomcat
