nerdctl 看到很多 k8s 镜像产生大量空标签

tag-icon tag-icon docker kubernetes kubeadm
nerdctl 看到很多 k8s 镜像产生大量空标签

错误报告

版本

kubeadm 版本(使用kubeadm version):v1.28.6 环境

  • Kubernetes 版本(使用kubectl version):v1.28.6

  • 云提供商或硬件配置:vsphere

  • 操作系统(例如来自/etc/os-release):

# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
  • 核心(例如uname -a):
# uname -a
Linux localhost.localdomain 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
  • 容器运行时 (CRI)(例如containerd,cri-o):
# containerd -v
containerd github.com/containerd/containerd v1.7.12 71909c1814c544ac47ab91d2e8b84718e517bb99
  • 容器网络插件 (CNI)(例如 Calico、Cilium):calico
  • 其他的

发生了什么?

通过编译 kubeadm 和镜像并将其存储在注册表存储库中,我使用 imageRepository: 10.102.28.1/google_containers 来拉取存储在注册表存储库中的镜像,我 kubernetes 将使用 crictl 来拉取镜像

apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
bootstrapTokens:
  - groups:
      - system:bootstrappers:kubeadm:default-node-token
    token: o07ftt.1k2k5dagbgypo863
    ttl: 876000h0m0s
    usages:
      - signing
      - authentication
localAPIEndpoint:
  advertiseAddress: 10.102.28.62
  bindPort: 6443
nodeRegistration:
  criSocket: unix:///var/run/containerd/containerd.sock
  name: localhost
  taints: null
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: 1.28.6
imageRepository: 10.102.28.1/google_containers
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
networking:
  dnsDomain: cluster.local
  podSubnet: "172.90.0.0/16"
  serviceSubnet: "10.96.0.0/16"
apiServer:
  extraArgs:
    tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
    enable-admission-plugins: 'NodeRestriction,DefaultTolerationSeconds'
    max-requests-inflight: "1000"
    max-mutating-requests-inflight: "500"
    default-watch-cache-size: "500"
    kubelet-timeout: "5s"
    event-ttl: "1h0m0s"
    default-not-ready-toleration-seconds: "60"
    default-unreachable-toleration-seconds: "60"
  timeoutForControlPlane: 4m0s
etcd:
  local:
    dataDir: /var/lib/etcd
    extraArgs:
      election-timeout: "5000"
      heartbeat-interval: "500"
controllerManager:
  extraArgs:
    bind-address: 0.0.0.0
    concurrent-deployment-syncs: "5"
    concurrent-endpoint-syncs: "5"
    concurrent-gc-syncs: "20"
    concurrent-namespace-syncs: "10"
    concurrent-replicaset-syncs: "5"
    concurrent-service-syncs: "1"
    concurrent-serviceaccount-token-syncs: "5"
    cluster-signing-duration: "87600h0m0s"
    feature-gates: "RotateKubeletServerCertificate=true"
    pvclaimbinder-sync-period: "15s"
    node-monitor-period: "5s"
    node-monitor-grace-period: "20s"
    node-startup-grace-period: "30s"
scheduler:
  extraArgs:
    bind-address: 0.0.0.0
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
clientConnection:
  burst: 20
  qps: 120
mode: ipvs
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
clusterDNS:
- 169.254.20.10
clusterDomain: cluster.local
cpuManagerPolicy: static
cgroupsPerQOS: true
cgroupDriver: systemd
systemReserved:
  cpu: "0.25"
  memory: "200Mi"
kubeReserved:
  cpu: "0.25"
  memory: "1500Mi"
evictionHard:
  memory.available: "100Mi"
  nodefs.available: "5%"
  nodefs.inodesFree: "3%"
  imagefs.available: "8%"
evictionPressureTransitionPeriod: 5m0s
featureGates:
  CPUManagerPolicyOptions: true
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kubeAPIBurst: 20
kubeAPIQPS: 10
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeLeaseDurationSeconds: 40
nodeStatusReportFrequency: 10s
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
port: 10250
registryBurst: 10
registryPullQPS: 5
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 5s
volumeStatsAggPeriod: 1m0s

我可以通过 crictl 查看拉取的图像

# crictl images
IMAGE                                                   TAG                 IMAGE ID            SIZE
10.102.28.1/google_containers/coredns                   v1.10.1             ead0a4a53df89       16.2MB
10.102.28.1/google_containers/etcd                      3.5.10-0            a0eed15eed449       56.5MB
10.102.28.1/google_containers/kube-apiserver            v1.28.6             078b4f8dadc5c       34.5MB
10.102.28.1/google_containers/kube-controller-manager   v1.28.6             7c9fcce49f5c7       33.3MB
10.102.28.1/google_containers/kube-proxy                v1.28.6             047da78ee6361       26.4MB
10.102.28.1/google_containers/kube-scheduler            v1.28.6             e11632c1a73ed       18.7MB
10.102.28.1/google_containers/pause                     3.9                 e6f1816883972       320kB

但是当你使用 nerdctl 查看它时,你会看到很多空标签。为什么

# nerdctl -n k8s.io images
REPOSITORY                                               TAG        IMAGE ID        CREATED           PLATFORM       SIZE         BLOB SIZE
10.102.28.1/google_containers/kube-apiserver             v1.28.6    d61ad6e78ba8    19 minutes ago    linux/amd64    123.3 MiB    32.9 MiB
10.102.28.1/google_containers/kube-apiserver             <none>     d61ad6e78ba8    19 minutes ago    linux/amd64    123.3 MiB    32.9 MiB
10.102.28.1/google_containers/kube-controller-manager    v1.28.6    54e75b217f1b    19 minutes ago    linux/amd64    119.5 MiB    31.7 MiB
10.102.28.1/google_containers/kube-controller-manager    <none>     54e75b217f1b    19 minutes ago    linux/amd64    119.5 MiB    31.7 MiB
10.102.28.1/google_containers/kube-proxy                 v1.28.6    f451e473cccc    19 minutes ago    linux/amd64    77.5 MiB     25.1 MiB
10.102.28.1/google_containers/kube-proxy                 <none>     f451e473cccc    19 minutes ago    linux/amd64    77.5 MiB     25.1 MiB
10.102.28.1/google_containers/kube-scheduler             v1.28.6    1b1e305ad145    19 minutes ago    linux/amd64    60.7 MiB     17.8 MiB
10.102.28.1/google_containers/kube-scheduler             <none>     1b1e305ad145    19 minutes ago    linux/amd64    60.7 MiB     17.8 MiB
10.102.28.1/google_containers/pause                      3.9        a9fc01b32f33    19 minutes ago    linux/amd64    728.0 KiB    312.4 KiB
10.102.28.1/google_containers/pause                      <none>     a9fc01b32f33    19 minutes ago    linux/amd64    728.0 KiB    312.4 KiB
<none>                                                   <none>     f451e473cccc    19 minutes ago    linux/amd64    77.5 MiB     25.1 MiB
<none>                                                   <none>     d61ad6e78ba8    19 minutes ago    linux/amd64    123.3 MiB    32.9 MiB
<none>                                                   <none>     54e75b217f1b    19 minutes ago    linux/amd64    119.5 MiB    31.7 MiB
<none>                                                   <none>     1b1e305ad145    19 minutes ago    linux/amd64    60.7 MiB     17.8 MiB
<none>                                                   <none>     a9fc01b32f33    19 minutes ago    linux/amd64    728.0 KiB    312.4 KiB

这是我的nerdctl配置文件,帮我看看是什么问题

# cat /etc/nerdctl/nerdctl.toml
debug          = false
debug_full     = false
address        = "unix:///run/containerd/containerd.sock"
namespace      = "k8s"
snapshotter    = "overlayfs"
cgroup_manager = "systemd"
hosts_dir      = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]
insecure_registry = true

您期望发生什么?

我希望通过 nerdctl 看到的图像没有那些空标签,这会让它看起来很乱

nerdctl 版本

nerdctl version 1.7.2

相关内容