k8s docker hub 登录凭据不起作用

问题描述 投票:0回答:1

问题是这样的: 我在 Kubernetes 上有一个集群,使用 Containerd 作为容器运行时和 Docker Hub 注册表,我在其中存储我的私有图像,也是 linux centos 7 上的主节点。

我使用

docker login
和我的PAT(个人访问令牌)登录到Docker,之后我检查了docker的工作并拉取了我的几个私有镜像,没有任何问题。 接下来,我在计划拉取图像的同一命名空间中为我的 k8s 创建了一个秘密的“dockerhub-credentials”。

# kubectl create secret docker-registry dockerhub-credentials \
    --docker-server=https://index.docker.io/v1/ \
    --docker-username=<username> \
    --docker-password=<dockerhubPAT> \
    --docker-email=<[email protected]> -n <mynamespace>

此后,我可以通过 k8s 部署拉取公共镜像,没有任何问题,但我无法从 docker hub 中自己的帐户拉取私有镜像。 我在 k8s 中的示例部署:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-world-deployment
  namespace: <mynamespace>
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-world
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
      - name: hello-world-container
        image: <dockerhub-username>/<dockerhub-repository-name>:<image-tag>
      imagePullSecrets:
      - name: dockerhub-credentials

错误是:

# kubectl get pods -n <mynamespace>
NAME                                     READY   STATUS             RESTARTS   AGE
hello-world-deployment-79dbffcd7-xq5br   0/1     ImagePullBackOff   0          146m

# kubectl logs hello-world-deployment-79dbffcd7-xq5br -n <mynamespace>
Error from server (BadRequest): container "hello-world-container" in pod "hello-world-deployment-79dbffcd7-xq5br" is waiting to start: trying and failing to pull image

并描述:

# kubectl describe pod hello-world-deployment-79dbffcd7-xq5br -n <mynamespace>
Name:             hello-world-deployment-79dbffcd7-xq5br
Namespace:        <mynamespace>
Priority:         0
Service Account:  default
Node:             worker-1/192.168.10.8
Start Time:       Tue, 19 Sep 2023 22:35:44 +0600
Labels:           app=hello-world
                  pod-template-hash=79dbffcd7
Annotations:      <none>
Status:           Pending
IP:               10.44.0.2
IPs:
  IP:           10.44.0.2
Controlled By:  ReplicaSet/hello-world-deployment-79dbffcd7
Containers:
  hello-world-container:
    Container ID:   
    Image:          <dockerhub-username>/<dockerhub-repository-name>:<image-tag>
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-ntlw7 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  kube-api-access-ntlw7:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason   Age                    From     Message
  ----     ------   ----                   ----     -------
  Warning  Failed   29m (x13 over 135m)    kubelet  Error: ErrImagePull
  Warning  Failed   20m (x2 over 37m)      kubelet  Failed to pull image "<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to pull and unpack image "docker.io/<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to read expected number of bytes: unexpected EOF
  Warning  Failed   10m (x13 over 135m)    kubelet  Failed to pull image "<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to pull and unpack image "docker.io/<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to copy: httpReadSeeker: failed open: server message: invalid_token: authorization failed
  Normal   BackOff  9m49s (x55 over 135m)  kubelet  Back-off pulling image "<dockerhub-username>/<dockerhub-repository-name>:<image-tag>"

这是我的秘密:

# kubectl describe secrets dockerhub-credentials -n <mynamespace>
Name:         dockerhub-credentials
Namespace:    <mynamespace>
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  223 bytes

JSON 输出:

# kubectl get secret dockerhub-credentials -n <mynamespace> -o json
{
    "apiVersion": "v1",
    "data": {
        ".dockerconfigjson": "<HERE'S-BASE64-ENCODED-DATA-FROM-DOCKERCONFIG.JSON>"
    },
    "kind": "Secret",
    "metadata": {
        "creationTimestamp": "2023-09-19T16:35:32Z",
        "name": "dockerhub-credentials",
        "namespace": "<mynamespace>",
        "resourceVersion": "3557701",
        "uid": "e453ef1d-f4df-4c2a-9c08-f4e1271f8b03"
    },
    "type": "kubernetes.io/dockerconfigjson"
}

顺便说一句,我用语法替换了所有真实数据,使其更加抽象

我尝试了不同的授权方法,并阅读了有关 stackoverflow 和其他资源的大量讨论。我已经被困在这个基本阶段好几天了。抱歉,我正在学习(另外,这是我的第一个 stackoverflow 问题)。如果有人可以解决这个问题,我准备提供几乎任何信息! 如果有任何帮助,我将不胜感激!

docker authentication kubernetes docker-registry kubernetes-secrets
1个回答
0
投票

多尝试一下兄弟,我相信你:)

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.