我试图从我在 Kubernetes 中的私有 Docker 注册表中拉取我的 Docker 镜像,但我收到了这个错误:ImagePullBackOff
NAME READY STATUS RESTARTS AGE
nginx-994fc8fb7-f24sv 2/2 Running 0 2d22h
portals-app-669b654d87-lk258 0/1 ImagePullBackOff 0 66m
portals-app-669b654d87-p87c6 0/1 ImagePullBackOff 0 67m
portals-app-7775d445-c5762 0/1 ImagePullBackOff 0 66m
所以我用describe命令查看错误详情,错误如下:
Name: portals-app-669b654d87-lk258
Namespace: default
Priority: 0
Service Account: default
Node: client-portal-nodepool-qjfch/10.127.0.2
Start Time: Sat, 25 Feb 2023 20:30:56 +1100
Labels: app=app
pod-template-hash=669b654d87
Annotations: <none>
Status: Pending
IP: 10.244.0.60
IPs:
IP: 10.244.0.60
Controlled By: ReplicaSet/portals-app-669b654d87
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-s2j6z:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal BackOff 2m34s (x284 over 67m) kubelet Back-off pulling image
"xichen9718/portals_docker_repository:latest"
感觉这个报错信息不是很清楚,估计跟Docker Private Registry认证有关系。所以我创建了一个单独的 Pod。这是我的 pod Yaml 文件。:
apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: xichen9718/portals_docker_repository:latest
imagePullSecrets:
- name: regcred
然后我再次运行 describe 命令,此时我得到了这个:
Name: private-reg
Namespace: default
Priority: 0
Service Account: default
Node: client-portal-nodepool-qjfch/10.127.0.2
Start Time: Sat, 25 Feb 2023 21:15:52 +1100
Labels: <none>
Annotations: <none>
Status: Pending
IP: 10.244.0.79
IPs:
IP: 10.244.0.79
Containers:
private-reg-container:
Container ID:
Image: xichen9718/portals_docker_repository:latest
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-7gvvj (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-7gvvj:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 50s default-scheduler Successfully assigned default/private-reg to client-portal-nodepool-qjfch
Warning Failed 28s (x2 over 46s) kubelet Failed to pull image "xichen9718/portals_docker_repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/xichen9718/portals_docker_repository:latest": failed to resolve reference "docker.io/xichen9718/portals_docker_repository:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Warning Failed 28s (x2 over 46s) kubelet Error: ErrImagePull
Normal BackOff 15s (x2 over 45s) kubelet Back-off pulling image "xichen9718/portals_docker_repository:latest"
Warning Failed 15s (x2 over 45s) kubelet Error: ImagePullBackOff
Normal Pulling 2s (x3 over 49s) kubelet Pulling image "xichen9718/portals_docker_repository:latest"
但我认为我成功地设置了秘密,当我运行时
kubectl get secret regcred --output=yaml
,
我可以查看我的 .dockerconfigjson 和其他数据。并且我尝试在本地拉取镜像,我可以成功拉取它,这意味着我的镜像名称和标签是正确的。
我现在真的很困惑,有人可以帮我解决这个问题吗?
非常感谢。
这个:
spec:
containers:
- name: private-reg-container
image: xichen9718/portals_docker_repository:latest
是从 docker.io 中提取的,而不是私人仓库。
另外,这个:
Warning Failed 28s (x2 over 46s) kubelet Failed to pull image "xichen9718/portals_docker_repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/xichen9718/portals_docker_repository:latest": failed to resolve reference "docker.io/xichen9718/portals_docker_repository:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
说授权失败。大概是因为您正在尝试针对 docker hub 而不是您的私人仓库进行身份验证。
如果您使用的是私人仓库,则需要在图像中包含仓库的主机名,例如
spec:
containers:
- name: private-reg-container
image: myprivaterepo.com/xichen9718/portals_docker_repository:latest
如果你不这样做,它会假设 docker hub
您从 docker 使用的生成的令牌或密码似乎有问题:
Failed to pull image "xichen9718/portals_docker_repository:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/xichen9718/portals_docker_repository:latest": failed to resolve reference "docker.io/xichen9718/portals_docker_repository:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
如果您按照第一种方法创建秘密(Create a Secret based on existing credentials)。你能仔细检查一下你当时是否登录了 docker hub 并从 docker 配置文件中获取了凭据吗?
或者您可以更明确地使用支持的第二个选项,如下所示。最好也尝试一下。
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-pword> \
--docker-email=<your-email>