• kubernetes之基于ServiceAccount拉取私有镜像

    前面可以通过ImagPullPolicy和ImageullSecrets指定下载镜像的策略,ServiceAccount也可以基于spec.imagePullSecret字段附带一个由下载镜像专用的Secret资源组成的列表,用于在容器创建时,从某个私有镜像仓库下载镜像文件之前的服务认证。

    1.创建Secrets资源

    这里根据自己的实际去定义即可;一定要是对的地址和认证信息;否则无法pull/push

    root@ks-master01-10:~# kubectl create secret docker-registry \
> aliyun-haitang-registry \
> --docker-server=registry.cn-hangzhou.aliyuncs.com \
> --docker-username=xxxxxxx\
> --docker-password=xxxxxx
secret/aliyun-haitang-registry created

    1.1查看Secrets

    root@ks-master01-10:~#  kubectl describe secret aliyun-haitang
Name:         aliyun-haitang
Namespace:    default
Labels:       
Annotations:  

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  140 bytes

    2.创建ServiceAccount

    2.1不设置任何策略,测试是否能拉取私有仓库镜像

    此处不配置任何镜像拉取策略,测试是否能拉取私有仓库镜像;

    root@ks-master01-10:~#  cat pod-serviceaccount-secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: stree-serviceaccount
spec:
  containers:
  - name: stree
    image: registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest

    2.2查看Pod,处于ErrImage

    root@ks-master01-10:~# kubectl get pods
NAME                                      READY   STATUS         RESTARTS       AGE
stree-serviceaccount                      0/1     ErrImagePull   0              8s

    2.3describe查看Events

    可以看到事件,是Docker认证的问题;

    root@ks-master01-10:~# kubectl describe pods stree-serviceaccount
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  20s               default-scheduler  Successfully assigned default/stree-serviceaccount to ks-node02-12
  Normal   BackOff    17s               kubelet            Back-off pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"
  Warning  Failed     17s               kubelet            Error: ImagePullBackOff
  Normal   Pulling    2s (x2 over 19s)  kubelet            Pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"
  Warning  Failed     2s (x2 over 18s)  kubelet            Failed to pull image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/lengyuye/stress, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
  Warning  Failed     2s (x2 over 18s)  kubelet            Error: ErrImagePull

    2.4创建ServiceAccount

    aliyun-haitang是docker-registry类型的Secrets对象,由用户提前手动创建,它可以通过键值数据提供docker仓库服务器的地址,接入服务器的用户名,密码及用户的电子邮件信息等,认证通过后,引用ServiceAccount的Pod资源即可从指定的镜像仓库下载image。

    root@ks-master01-10:~# cat serviceaccount-imagepullsecret.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
   name: imagepull-aliyun-sa
imagePullSecrets:
- name: aliyun-haitang
root@ks-master01-10:~# kubectl apply -f serviceaccount-imagepullsecret.yaml 
serviceaccount/imagepull-aliyun-sa created

    2.5查看SA

    root@ks-master01-10:~# kubectl get sa imagepull-aliyun-sa -o yaml
apiVersion: v1
imagePullSecrets:
- name: aliyun-haitang
kind: ServiceAccount
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","imagePullSecrets":[{"name":"aliyun-haitang"}],"kind":"ServiceAccount","metadata":{"annotations":{},"name":"imagepull-aliyun-sa","namespace":"default"}}
  creationTimestamp: "2022-09-07T02:31:05Z"
  name: imagepull-aliyun-sa
  namespace: default
  resourceVersion: "226300"
  uid: fabc93b1-572c-4703-a2dd-465d4e0915cb
secrets:
- name: imagepull-aliyun-sa-token-vf67z

    2.6Pod引用ServiceAccount

    root@ks-master01-10:~# cat pod-serviceaccount-secret.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: stree-serviceaccount   
spec:
  serviceAccount: imagepull-aliyun-sa   # 这里则是创建的sa的名称
  containers:
  - name: stree
    image: registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest
root@ks-master01-10:~/rbac# kubectl apply -f pod-serviceaccount-secret.yaml 
pod/stree-serviceaccount created

    3.创建Pod测试;

    3.1查看Pod

    root@ks-master01-10:~# kubectl get pods
NAME                                      READY   STATUS    RESTARTS       AGE
stree-serviceaccount                      1/1     Running   0              8s

    3.2describe查看事件

    root@ks-master01-10:~# kubectl describe pods stree-serviceaccount
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  3m36s  default-scheduler  Successfully assigned default/stree-serviceaccount to ks-node02-12
  Normal  Pulling    3m35s  kubelet            Pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"
  Normal  Pulled     3m33s  kubelet            Successfully pulled image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest" in 1.729555429s
  Normal  Created    3m33s  kubelet            Created container stree
  Normal  Started    3m33s  kubelet            Started container stree

    3.3查看详细信息

    root@ks-master01-10:~# kubectl get pods stree-serviceaccount -o yaml
  imagePullSecrets:
  - name: aliyun-haitang
  nodeName: ks-node02-12
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: imagepull-aliyun-sa
  serviceAccountName: imagepull-aliyun-sa
  • 相关阅读:
    解锁精准营销的秘密武器:数据利器助您实现业务增长
    银行有没有必要建立数据中台?看完你就明白了
    使用@Builder注解后,该对象 拷贝时出现java.lang.InstantiationException异常报错
    Windows 10 无法访问某文件夹无法访问(如C:\Documents and Settings)。拒绝访问。解决方法
    Java进阶篇--可重入锁 & 不可重入锁
    uniapp:如何实现点击图片可以全屏展示预览
    Kafka自带zookeeper---集群安装部署
    16.Redis系列之Redisson分布式锁原理
    k8s-生产级的k8s高可用(2) 25
    都闪开,这才是最牛x技术搜索引擎【云原生】
  • 原文地址:https://www.cnblogs.com/xunweidezui/p/16664432.html