我有一个用于部署 docker 镜像的 helm 图表。我使用以下方法将秘密配置到 kubernetes 中:
apt-get install docker
sudo apt-get install python python3-pip
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
root@node1:~# cd .docker
root@node1:~/.docker# ls
cat config.json
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
进入我放置的舵图:
imagePullSecrets:
- name: regcred
当我部署 Helm Chart 时,它工作正常,但大约 24 小时后我得到:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 91s default-scheduler Successfully assigned default/mockup-6c5cfb4677-qztdv to node2
Normal BackOff 24s (x5 over 90s) kubelet Back-off pulling image "381491899314.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1"
Warning Failed 24s (x5 over 90s) kubelet Error: ImagePullBackOff
Normal Pulling 11s (x4 over 91s) kubelet Pulling image "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1"
Warning Failed 11s (x4 over 90s) kubelet Failed to pull image "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1": failed to pull and unpack image "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1": failed to resolve reference "123456789.dkr.ecr.us-east-1.amazonaws.com/mockup:0.0.1": unexpected status from HEAD request to https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/mockup/manifests/0.0.1: 403 Forbidden
Warning Failed 11s (x4 over 90s) kubelet Error: ErrImagePull
root@node1:~#
令牌似乎已过期。如何制作永久令牌? 这个问题有解决办法吗?
文档说:
授权令牌的有效期为 12 小时。
该命令没有提供延长令牌有效期的选项,因此我认为这是不可能的。
为了保持令牌有效,我建议创建 cron 作业每 10-11 小时运行一次:
# Preparation for env and SA
kubectl create generic aws-credentials --from-env-file=<file path>
kubectl -n default create sa secrets-manager
apiVersion: batch/v1
kind: CronJob
metadata:
name: refresh-aws-secret
namespace: default
spec:
schedule: "* */11 * * *" # Run each 1 hours
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccount: secrets-manager
containers:
- name: refresh-aws-secret
image: <any public image with aws-cli and kubectl>
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: aws
envFrom:
- secretRef:
name: aws-credentials
command:
- /bin/sh
- -c
- |-
kubectl delete secret --ignore-not-found ${SECRET_NAME}
kubectl create secret docker-registry ${SECRET_NAME} \
--docker-server=${AWS_ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password)