kubernetes从私有仓库拉取镜像

06月11日, 2018 docker 渡渡鸟

kubernetes从私有仓库拉取镜像

06月11日, 2018

环境:

kubernetes: v1.10.4

docker: 17.03.2-ce

私有仓库使用的是Harbor

我们在Master上面创建一个私有凭证

kubectl create secret docker-registry regsecret \
    --docker-server=<your-registry-server>\
    --docker-username=<your-name>\
    --docker-password=<your-pword> \
    --docker-email=<your-email>

kubectl create secret docker-registry regsecret \

--docker-server=<your-registry-server>\

--docker-username=<your-name>\

--docker-password=<your-pword> \

--docker-email=<your-email>

参数	说明
regsecret	此参数作为凭证id
<your-registry-server>	你的私有仓库地址
<your-name>	用户名
<your-pword>	密码
<your-email>	email

这里我以阿里云私有仓库为示例,执行下面的命令创建私有凭证

kubectl create secret docker-registry regsecret \
    --docker-server=registry.cn-beijing.aliyuncs.com\
    --docker-username=1500698928@qq.com\
    --docker-password=你的密码 \
    --docker-email=1500698928@qq.com

kubectl create secret docker-registry regsecret \

--docker-server=registry.cn-beijing.aliyuncs.com\

--docker-username=1500698928@qq.com\

--docker-password=你的密码 \

--docker-email=1500698928@qq.com

查看创建的凭证，输出为yml

kubectl get secret regsecret  --output=yaml

1	kubectl get secret regsecret --output=yaml

查看创建的凭证，输出为json

kubectl get secret regsecret  --output=json

1	kubectl get secret regsecret --output=json

输出一下信息

{
    "apiVersion": "v1",
    "data": {
        ".dockerconfigjson": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "kind": "Secret",
    "metadata": {
        "creationTimestamp": "2018-06-11T06:25:43Z",
        "name": "regsecret",
        "namespace": "default",
        "resourceVersion": "4543",
        "selfLink": "/api/v1/namespaces/default/secrets/regsecret",
        "uid": "44dc2b93-6d40-11e8-8136-000c2925c79d"
    },
    "type": "kubernetes.io/dockerconfigjson"
}

{

"apiVersion": "v1",

"data": {

".dockerconfigjson": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

"kind": "Secret",

"metadata": {

"creationTimestamp": "2018-06-11T06:25:43Z",

"name": "regsecret",

"namespace": "default",

"resourceVersion": "4543",

"selfLink": "/api/v1/namespaces/default/secrets/regsecret",

"uid": "44dc2b93-6d40-11e8-8136-000c2925c79d"

"type": "kubernetes.io/dockerconfigjson"

}

该.dockerconfigjson字段的值是Docker凭据的base64表示形式

我们可以通过命令转化为可读格式

kubectl get secret regsecret --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d

1	kubectl get secret regsecret --output="jsonpath={.data.\.dockerconfigjson}" \| base64 -d

输出

{"auths":{"registry.cn-beijing.aliyuncs.com":{"username":"1500698928@qq.com","password":"xxxxxxxx","email":"1500698928@qq.com","auth":"xxxxxx"}}}

1	{"auths":{"registry.cn-beijing.aliyuncs.com":{"username":"1500698928@qq.com","password":"xxxxxxxx","email":"1500698928@qq.com","auth":"xxxxxx"}}}

在Pod中使用凭证

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: registry.cn-beijing.aliyuncs.com/typ/nginx_alpine:1.1
  imagePullSecrets:
  - name: regsecret

apiVersion: v1

kind: Pod

metadata:

name: private-reg

spec:

containers:

- name: private-reg-container

image: registry.cn-beijing.aliyuncs.com/typ/nginx_alpine:1.1

imagePullSecrets:

- name: regsecret

images换成你私有仓库的镜像

nam:regsecret是你刚才创建的凭证

通过查看日志可以发现已经成功下载了私有仓库的镜像

Events:
  Type     Reason                 Age               From               Message
  ----     ------                 ----              ----               -------
  Normal   Scheduled              4m                default-scheduler  Successfully assigned private-reg to ddu-3
  Normal   SuccessfulMountVolume  4m                kubelet, ddu-3     MountVolume.SetUp succeeded for volume "default-token-42nsz"
  Normal   Pulling                4m                kubelet, ddu-3     pulling image "registry.cn-beijing.aliyuncs.com/typ/nginx_alpine:1.1"
  Normal   Pulled                 2m                kubelet, ddu-3     Successfully pulled image "registry.cn-beijing.aliyuncs.com/typ/nginx_alpine:1.1"

Events:

Type Reason Age From Message