k8s pulls the image from the private warehouse

Pull images from private repositories | Kubernetes

Ready to begin

  • You must have a Kubernetes cluster, and you must configure the kubectl command line tool to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not control plane hosts.
  • You can build your own cluster via Minikube, or you can use one of the following Kubernetes practice environments:
    • Killercoda
    • Playing with Kubernetes
  • To perform this exercise, you need the docker command line tool and a Docker ID that you know the password for.
  • If you want to use a different private image repository, you need the command line tool and login information for the corresponding image repository.

Log in to the Docker image warehouse

On a personal computer, you must authenticate on the mirror repository in order to pull a private image.

Use the docker command tool to log in to Docker Hub. Check out the log in section of Docker ID accounts for more details.

docker login

# or
docker login <harbor warehouse address> -u <username> -p <password>
#eg
docker login https://k8s-harbor.com/harbor/project

When prompted, enter your Docker ID and Login credentials (access token or password for your Docker ID).

The login process creates or updates the config.json file that holds the authorization token. See how Kubernetes parses this file.

View the config.json file:

cat ~/.docker/config.json

Example output:

{
  "auths": {
    "https://index.docker.io/v1/": {
      "auth": "c3R...zE2"
    }
  }
}
# use
[root@rpp-vm00 ~]# cat ~/.docker/config.json
{
    "auths": {
        "k8s-harbor.com": {
            "auth": "cm9ib3QkcGVybWlzc2lvbl9wcm8rcHJvcm9ib3Q6ZTlwTVNhNTNmWjA4MUU4dFZJV1hJM3BtUmlveVhUNXo="
         }
    }
}

Description:

When using the Docker credential repository, you will not see
auth entry, you will see the warehouse name as the value
credsStore entry. At this point, you can create the Secret directly. See
Provide the credentials on the command line to create the secret.

Pull image configuration from Harbor non-public warehouse

Create a private image warehouse in Harbor, configure the relevant robot account, obtain the username and password of the robot account, and then configure it in Step 4 or Step 5.

3.1 Create a private project repository

3.2 Create a robot account

Create a robot account and set permissions and associated projects.

3.3 Create an internal robot account for the project

In addition to creating a global robot account, you can also create a robot account within the project. This robot account is only valid for this project:

3.4 Save robot account access credentials

Regardless of whether the robot account is created in chapter 5.2 or 5.3, the access credentials of the account will pop up after the creation is completed. Examples of the content are as follows:

Among them, name is the user name, and the password is secret:

 {
    "creation_time":"2023-10-30T03:50:21.260Z",
    "expires_at":-1,
    "id":4,
    "name":"robot$permission_pro + prorobot", // username
    "secret":"e9pMSa53fZ081E8tVIWXI3pmRioyXT5z" // Password
}

Method 1: Creategeneric based on existing credentials Secret

Kubernetes uses the kubernetes.io/dockerconfigjson type of Secret to authenticate the image warehouse and pull the image.

Run the previous docker login command and copy the credentials in ~/.docker/config.json to Kubernetes:

kubectl create secret generic regcred \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

More settings (for example, setting a namespace or label for a new Secret) can be customized. But it must:

  • Set the name in the data item to .dockerconfigjson
  • Encode the Docker configuration file using base64 encoding and paste the contents of that string as the value of the field data[".dockerconfigjson"]
  • Set type to kubernetes.io/dockerconfigjson

Example:

apiVersion: v1
Kind: Secret
metadata:
  name: myregistrykey
  namespace: awesomeapps
data:
  .dockerconfigjson: UmVhbGx5IHJlYWxseSByZWVlZWVlZWVlZWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGxsbGx5eXl5eXl5eXl5eXl 5eXl5eXl5eSBsbGxsbGxsbGxsbGxsbG9vb29vb29vb29vb29vb29vb29vb29vb29vb25ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2cgYXV0aCBrZX lzCg==
type: kubernetes.io/dockerconfigjson

If you receive the error message: error: no objects passed to create, this probably means that the base64-encoded string is invalid. If you receive an error message like Secret "myregistrykey" is invalid: data[.dockerconfigjson]: invalid value ... then it means The base64 encoded string in the data was successfully decoded, but could not be parsed into a .docker/config.json file.

(use) Method 2: Create docker-registry type Secret through the command line

Create a Secret named regcred:

kubectl create secret docker-registry regcred \
  --docker-server=<your image repository server> \
  --docker-username=<your username> \
  --docker-password=<your password> \
  --docker-email=<your email address>

# use '$' is a special character and needs to be escaped with ''
kubectl create secret docker-registry k8s-harbor-secret \
  --docker-server=https://k8s-harbor.com \
  --docker-username="robot\$permission_pro + prorobot" \
  --docker-password="e9pMSa53fZ081E8tVIWXI3pmRioyXT5z" \
  [email protected]

========================= Reference======================== ===
kubectl edit secret/k8s-harbor-secret
kubectl get secret k8s-harbor-secret --output=yaml
kubectl delete secret k8s-harbor-secret

kubectl get secret

kubectl get secret k8s-harbor-secret \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Parameter explanation:

  • The fully qualified domain name (FQDN) of your private Docker repository. DockerHub uses https://index.docker.io/v1/.
  • Docker username.
  • Docker password.
  • Docker email.

Description:

On the command line type
Secret may be stored in the shell history without protection, and these Secret information may also be stored in the shell history.
Visible to other users on the PC while kubectl is running.

Check Secret

View the regcred created above in YAML format:

kubectl get secret regcred --output=yaml

# use
kubectl get secret k8s-harbor-secret --output=yaml

The output is similar to the following:

apiVersion: v1
Kind: Secret
metadata:
  ...
  name:regcred
  ...
data:
  .dockerconfigjson: eyJodHRwczovL2luZGV4L ... J0QUl6RTIifX0=
type: kubernetes.io/dockerconfigjson

The value of the .dockerconfigjson field is the base64 representation of the Docker credentials.

Convert Secret data to readable format:

kubectl get secret regcred \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

# use
kubectl get secret k8s-harbor-secret \
--output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

The output is similar to the following:

{
    "auths":{
        "your.private.registry.example.com": {
            "username":"janedoe",
            "password":"xxxxxxxxxxx",
            "email":"[email protected]",
            "auth":"c3R...zE2"
        }
    }
}

View the contents of the auth field and decode the base64-encoded data:

echo "c3R...zE2" | base64 --decode

In the output, the username and password are linked with :, similar to the following:

janedoe:xxxxxxxxxxx

Note that the Secret data contains the authorization token similar to the local ~/.docker/config.json file.

Create a Pod that applies Secret

Here is an example pod configuration manifest where the pod accesses Docker credentials regcred:

pods/private-reg-pod.yaml

apiVersion: v1
Kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image> # Mirror path of private warehouse
  imagePullSecrets: # Get credentials from Secret
  - name: regcred

download file:

curl -L -o my-private-reg-pod.yaml https://k8s.io/examples/pods/private-reg-pod.yaml

The imagePullSecrets field configures the credentials of the warehouse image. regcred obtains credentials from the Secret named regcred.

Create a Pod and check if it is running normally:

kubectl apply -f my-private-reg-pod.yaml
kubectl get pod private-reg

Description:

To use an image to pull Secrets for a Pod (or Deployment, or other object with a Pod template), you need to ensure that the appropriate Secret actually exists in the correct namespace. The namespace used when defining the Pod is used.

Additionally, if the Pod fails to start with status ImagePullBackOff, view the Pod events:

kubectl describe pod private-reg

If the error FailedToRetrieveImagePullSecret is reported, it means that Kubernetes cannot find the Secret with the relevant name (regcred in this example).

Make sure the Secret exists and its name is spelled correctly. The following is an example of an error:

Events:
  ... Reason ... Message
       ------ -------
  ... FailedToRetrieveImagePullSecret ... Unable to retrieve some image pull secrets (<regcred>); attempting to pull the image may not succeed.

Create a Deployment that applies Secret

Deployment configuration manifest example, Deployment access Docker credentials regcred:

apiVersion: apps/v1 # Version
kind: Deployment # type
metadata: # Deployment metadata
  name: springboot-docker2-dp # Deployment name
  namespace: my-namespace-100
  labels: # label
    app: springboot-docker2-pod # Selector, used to match the label of the Pod to ensure that the Pod belongs to the Deployment
spec: # Pod information
  replicas: 3 # Number of replicas of Pod
  selector: # Tag selector
    matchLabels: # Selector, used to match the labels of the Pod to ensure that the Pod belongs to the Deployment
      app: springboot-docker2-pod # app=springboot-docker2
  template: # Pod template information, create Pod based on template information
    metadata: # Pod metadata
      labels: # The label of the Pod, matches the label in the Selector to ensure that the Pod belongs to the Deployment
        app: springboot-docker2-pod # Tag app=springboot-docker2
    spec: # Container information
      containers: # container
      - name: springboot-docker2 # Container name
        image: k8s-harbor.com/permission_pro/spring-boot-docker2:0.0.1-SNAPSHOT
        ports: # port
        - containerPort: 8600 # The port exposed by the container
          name: business-port
        - containerPort: 8800
          name: actuator-port
      imagePullSecrets: # Get credentials from Secret
      - name: k8s-harbor-secret

View running status:

vi springboot-docker2-dp-secret-svc-ingress.yml

kubectl apply -f springboot-docker2-dp-secret-svc-ingress.yml

kubectl delete -f springboot-docker2-dp-secret-svc-ingress.yml

kubectl getpod

kubectl describe pod springboot-docker2-dp-697ccf7c7c-7zntd

scp -r 192.168.31.55:/etc/docker/certs.d/k8s-harbor.com /etc/containerd/certs.d/

crictl pull k8s-harbor.com/permission_pro/spring-boot-docker2:0.0.1-SNAPSHOT
docker pull k8s-harbor.com/permission_pro/spring-boot-docker2:0.0.1-SNAPSHOT
scp 192.168.31.151:/usr/local/ssl/{server.crt,server.key,myCA.cer} .

scp 192.168.31.151:/usr/local/ssl/{myCA.crt,server.cert} .
insecure_skip_verify = false

$. systemctl restart containerd
$.systemctl status containerd

kubectl get deploy

kubectl get deploy springboot-docker2-dp

kubectl get pod private-reg
syntaxbug.com © 2021 All Rights Reserved.