问题是这样的: 我在 Kubernetes 上有一个集群,使用 Containerd 作为容器运行时和 Docker Hub 注册表,我在其中存储我的私有图像,也是 linux centos 7 上的主节点。
我使用
docker login
和我的PAT(个人访问令牌)登录到Docker,之后我检查了docker的工作并拉取了我的几个私有镜像,没有任何问题。
接下来,我在计划拉取图像的同一命名空间中为我的 k8s 创建了一个秘密的“dockerhub-credentials”。
# kubectl create secret docker-registry dockerhub-credentials \
--docker-server=https://index.docker.io/v1/ \
--docker-username=<username> \
--docker-password=<dockerhubPAT> \
--docker-email=<[email protected]> -n <mynamespace>
此后,我可以通过 k8s 部署拉取公共镜像,没有任何问题,但我无法从 docker hub 中自己的帐户拉取私有镜像。 我在 k8s 中的示例部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-world-deployment
namespace: <mynamespace>
spec:
replicas: 1
selector:
matchLabels:
app: hello-world
template:
metadata:
labels:
app: hello-world
spec:
containers:
- name: hello-world-container
image: <dockerhub-username>/<dockerhub-repository-name>:<image-tag>
imagePullSecrets:
- name: dockerhub-credentials
错误是:
# kubectl get pods -n <mynamespace>
NAME READY STATUS RESTARTS AGE
hello-world-deployment-79dbffcd7-xq5br 0/1 ImagePullBackOff 0 146m
# kubectl logs hello-world-deployment-79dbffcd7-xq5br -n <mynamespace>
Error from server (BadRequest): container "hello-world-container" in pod "hello-world-deployment-79dbffcd7-xq5br" is waiting to start: trying and failing to pull image
并描述:
# kubectl describe pod hello-world-deployment-79dbffcd7-xq5br -n <mynamespace>
Name: hello-world-deployment-79dbffcd7-xq5br
Namespace: <mynamespace>
Priority: 0
Service Account: default
Node: worker-1/192.168.10.8
Start Time: Tue, 19 Sep 2023 22:35:44 +0600
Labels: app=hello-world
pod-template-hash=79dbffcd7
Annotations: <none>
Status: Pending
IP: 10.44.0.2
IPs:
IP: 10.44.0.2
Controlled By: ReplicaSet/hello-world-deployment-79dbffcd7
Containers:
hello-world-container:
Container ID:
Image: <dockerhub-username>/<dockerhub-repository-name>:<image-tag>
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-ntlw7 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-ntlw7:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Failed 29m (x13 over 135m) kubelet Error: ErrImagePull
Warning Failed 20m (x2 over 37m) kubelet Failed to pull image "<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to pull and unpack image "docker.io/<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to read expected number of bytes: unexpected EOF
Warning Failed 10m (x13 over 135m) kubelet Failed to pull image "<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to pull and unpack image "docker.io/<dockerhub-username>/<dockerhub-repository-name>:<image-tag>": failed to copy: httpReadSeeker: failed open: server message: invalid_token: authorization failed
Normal BackOff 9m49s (x55 over 135m) kubelet Back-off pulling image "<dockerhub-username>/<dockerhub-repository-name>:<image-tag>"
这是我的秘密:
# kubectl describe secrets dockerhub-credentials -n <mynamespace>
Name: dockerhub-credentials
Namespace: <mynamespace>
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 223 bytes
JSON 输出:
# kubectl get secret dockerhub-credentials -n <mynamespace> -o json
{
"apiVersion": "v1",
"data": {
".dockerconfigjson": "<HERE'S-BASE64-ENCODED-DATA-FROM-DOCKERCONFIG.JSON>"
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2023-09-19T16:35:32Z",
"name": "dockerhub-credentials",
"namespace": "<mynamespace>",
"resourceVersion": "3557701",
"uid": "e453ef1d-f4df-4c2a-9c08-f4e1271f8b03"
},
"type": "kubernetes.io/dockerconfigjson"
}
顺便说一句,我用语法替换了所有真实数据,使其更加抽象
我尝试了不同的授权方法,并阅读了有关 stackoverflow 和其他资源的大量讨论。我已经被困在这个基本阶段好几天了。抱歉,我正在学习(另外,这是我的第一个 stackoverflow 问题)。如果有人可以解决这个问题,我准备提供几乎任何信息! 如果有任何帮助,我将不胜感激!
多尝试一下兄弟,我相信你:)