如何强制 kubernetes 集群使用本地注册表?

tag-icon tag-icon kubernetes
如何强制 kubernetes 集群使用本地注册表?

我的 kubernetes 集群 (LAB) 今天与互联网断开。显然是因为我的 Pod 都无法启动(不过 kube 系统中的 Pod 没有问题):

  Normal   Pulling         40m (x4 over 42m)      kubelet  Pulling image "nginx:latest"
  Warning  Failed          40m (x4 over 42m)      kubelet  Error: ErrImagePull
  Warning  Failed          40m                    kubelet  Failed to pull image "nginx:latest": failed to pull and unpack image "docker.io/library/nginx:latest": failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:46391->127.0.0.53:53: i/o timeout
  Warning  BackOff         39m (x7 over 41m)      kubelet  Back-off restarting failed container nginx in pod nginx-deployment-5b9455bc67-j9sh9_default(46e9f74f-8d35-467b-b294-b8c469f95fa6)
  Warning  Failed          37m                    kubelet  Failed to pull image "nginx:latest": failed to pull and unpack image "docker.io/library/nginx:latest": failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:45430->127.0.0.53:53: i/o timeout
  Warning  Failed          7m52s (x3 over 18m)    kubelet  (combined from similar events): Failed to pull image "nginx:latest": failed to pull and unpack image "docker.io/library/nginx:latest": failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: read udp 127.0.0.1:49261->127.0.0.53:53: i/o timeout
  Normal   BackOff         2m58s (x150 over 42m)  kubelet  Back-off pulling image "nginx:latest"

这让我感到惊讶,因为我认为在集群上启动的任何 Pod 都会首先将其容器映像下载到本地注册表或本地容器运行时,然后从此处使用该映像。显然我错了。

问题: 如何强制 kubernetse 集群将映像下载/拉取到本地注册表?

此外,虽然我与互联网断开,但我仍然能够从(本地)存储库导出图像。怎么会???

sudo ctr -n k8s.io image export --local testimage docker.io/library/nginx@sha256:18090843a20ba39719ca4f389d509063ea4fcce9d16c7168f62404b6d630bc3e

[更新/解决方案] 如果我猜对了,我能看到的所有图像sudo ctr -n k8s.io image list实际上都在本地注册表中。

阻止 Pod 启动的原因是在其清单中设置了:imagePullPolicy: Always 这意味着:每次启动时都会在远程/本机注册表中查找最新映像

为了进行测试,我创建了新的 POD 设置imagePullPolicy: IfNotPresent,并指定了当有互联网连接时工作的 Pod/容器的映像名称。这样就成功创建了pod。

这意味着: imagePullPolicy: IfNotPresent - 如果您在启动时无法访问远程/本机注册表,请使用之前(在第一次部署时)下载/拉取到本地存储库或本地容器运行时的映像。

我发现 kube 系统部署清单的设置是这样的,这可能就是即使没有互联网它们也能工作的原因。

相关内容