我有一个 MicroK8s 实例,目前正在迁移我的应用程序。但我无法向 Gitlab 的私有注册表进行身份验证。
关于我的环境:
- MicroK8s
- Gitlab(注册表安全运行)
我进行的测试
为了测试我的私人 Gitlab 注册表,我使用了另一台机器并执行了docker pull registry.mydomain.com/my-group/my-image:my-tag。
在 K8s 中,我按照K8s 网站以及答案中的说明关于 SO 的问题。
我已经检查了命名空间,秘密创建正确!我恢复了凭证以确认它们是正确的。
我使用不同的方法来创建秘密imagePullSecrets。
第一次尝试
kubectl create secret docker-registry regcred \
--namespace=my-namespace \
--docker-server=registry.mydomain.com \
--docker-username="my-user" \
--docker-email="my-mail" \
--docker-password="my-gitlab-personal-access-token"
第二次尝试
kubectl create secret generic regcred \
--namespace=my-namespace \
--from-file=.dockerconfigjson=/home/hsouza/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
创建我的秘密的两种方法都可以,但是在创建我的 pod 时出现了 ImagePullBackOff 错误。
对于两次生成 regcred 的尝试,我创建了如下 POD:
apiVersion: v1
kind: Pod
metadata:
namespace: my-namespace
name: test-private-register-pod
spec:
containers:
- name: test-private-register-pod
image: registry.mydomain.com/my-group/my-image:1.0.0
imagePullSecrets:
- name: regcred
分析时kubectl describe pod/test-private-register-pod返回以下消息:
Name: test-private-register-pod
Namespace: my-namespace
Priority: 0
Service Account: default
Node: k8s-dev/10.0.0.6
Start Time: Sat, 07 Oct 2023 11:25:23 -0300
Labels: <none>
Annotations: cni.projectcalico.org/containerID: 0d1a8c2d3f54ea9dfeccb69b96f930a6c5f40d6c9fa8c16994ac24676cecb5be
cni.projectcalico.org/podIP: 10.1.252.205/32
cni.projectcalico.org/podIPs: 10.1.252.205/32
Status: Pending
IP: 10.1.252.205
IPs:
IP: 10.1.252.205
Containers:
test-private-register-pod:
Container ID:
Image: registry.mydomain.com/my-group/my-image:1.0.0
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-8gj47 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-8gj47:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 16s default-scheduler Successfully assigned my-namespace/test-private-register-pod to k8s-dev
Normal Pulling 15s kubelet Pulling image "registry.mydomain.com/my-group/my-image:1.0.0"
Warning Failed 15s kubelet Failed to pull image "registry.mydomain.com/my-group/my-image:1.0.0": rpc error: code = Unknown desc = failed to pull and unpack image "registry.mydomain.com/my-group/my-image:1.0.0": failed to resolve reference "registry.mydomain.com/my-group/my-image:1.0.0": failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden
Warning Failed 15s kubelet Error: ErrImagePull
Normal BackOff 14s (x2 over 15s) kubelet Back-off pulling image "registry.mydomain.com/my-group/my-image:1.0.0"
Warning Failed 14s (x2 over 15s) kubelet Error: ImagePullBackOff
在gitlab nginx日志中,k8s访问的状态码是401,我虚构了一下,尝试从https://requestcatcher.com/并且在分析 K8s 发出的请求时,它不会发送带有 Basic Auth 的标头。
这是我的问题,我感谢社区帮助我找出问题所在。