何宇泽

k8s私有库secret配置

发表于 更新于 分类于
本文字数: 4.6k 阅读时长 ≈ 4 分钟

1. k8s 私有库secret配置

1.1. 方式一:

创建前先查看secrets

1
2
3
4
[root@k8s-master ~]# kubectl get secrets
NAME                        TYPE                                  DATA   AGE
default-token-pppcz         kubernetes.io/service-account-token   3      43h
sh.helm.release.v1.web.v1   helm.sh/release.v1                    1      18h

k8s创建secrets命令模板

1
kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email

创建secrets

1
kubectl create secret docker-registry harbor-registry --docker-server=harbor.xxx.com --docker-username=admin --docker-password=Harbor12345 --docker-email=heyuze@163.com

查看生成的secret

1
2
3
4
5
[root@k8s-master ~]# kubectl get secrets
NAME                        TYPE                                  DATA   AGE
default-token-pppcz         kubernetes.io/service-account-token   3      43h
harbor-registry             kubernetes.io/dockerconfigjson        1      41h
sh.helm.release.v1.web.v1   helm.sh/release.v1                    1      18h

查看secret的详细信息

1
2
3
4
5
6
7
8
9
10
11
[root@k8s-master ~]# kubectl describe secrets harbor-registry
Name:         harbor-registry
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  138 bytes

注意:这里默认生成的secrets只能在default工作空间使用,如果需要在指定的工作空间创建,需要加:-n参数指定工作空间

例如:kubectl create secret docker-registry harbor-registry –docker-server=harbor.xxx.com –docker-username=admin –docker-password=Harbor12345 --docker-email=heyuze@163.com -n test

配置yaml,通过secret获取images

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@master1 machine-tool]# vi nginx.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: default
spec:
  containers:
  - name: nginx
    image: harbor.xxx.com/test/ssh-centos7:latest
    command:
      - top
      - '-b'
  imagePullSecrets:
  - name: harbor-registry

1.2. 方式二:

配置私有仓库

修改docker私有仓库地址(所有node节点都修改)

1
2
3
4
5
6
7
[root@k8s-node1 ~]# vim /etc/docker/daemon.json 

{    
	"registry-mirrors": ["http://bc437cce.m.daocloud.io"],    
	"insecure-registries": ["192.168.3.187"] }

Harbor12345

登录仓库

1
2
3
4
5
6
7
8
[root@k8s-node1 default]# docker login 192.168.3.187

Username: admin 
Password:  
WARNING! Your password will be stored unencrypted in /root/.docker/config.json. 
Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store 

Login Succeeded

拉取一个tomcat镜像

1
2
3
REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
heyuze/java-demo          latest              4d36f38cc8c8        19 hours ago        406MB
tomcat                    latest              4e7840b49fad        5 days ago          529MB

打tag并推送到harbor

1
2
3
[root@k8s-node1 default]# docker tag tomcat 192.168.3.187/project/tomcat
[root@k8s-node1 default]# 
[root@k8s-node1 default]# docker push 192.168.3.187/project/tomcat

k8s配置登录harbor仓库的tocken

查看tocken

1
2
3
4
5
6
7
8
9
10
[root@k8s-node1 ~]# cat .docker/config.json 
{
	"auths": {
		"192.168.3.187": {
			"auth": "YWRtaW46SGFyYm9yMTIzNDU="
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.6 (linux)"
	}

查看密码是否正确

1
2
[root@k8s-master1 ~]# echo "YWRtaW46SGFyYm9yMTIzNDU=" |base64 --decode -
admin:Harbor12345

不换行生成tocken(64位编码)

1
2
3
[root@k8s-node1 ~]# cat .docker/config.json |base64 -w 0

ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjMuMTg3IjogewoJCQkiYXV0aCI6ICJZV1J0YVc0NlNHRnlZbTl5TVRJek5EVT0iCgkJfQoJfSwKCSJIdHRwSGVhZGVycyI6IHsKCQkiVXNlci1BZ2VudCI6ICJEb2NrZXItQ2xpZW50LzE4LjA5LjYgKGxpbnV4KSIKCX0KfQ==

注:因为k8s中没有认证仓库,因此不能从私有仓库拉取镜像,下面生成认证的yaml文件

认证仓库的yaml文件

1
2
3
4
5
6
7
8
9
[root@k8s-master1 ~]# vim registry-pull-secret.yaml 

apiVersion: v1
kind: Secret
metadata:
  name: registry-pull-secret
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjMuMTg3IjogewoJCQkiYXV0aCI6ICJZV1J0YVc0NlNHRnlZbTl5TVRJek5EVT0iCgkJfQoJfSwKCSJIdHRwSGVhZGVycyI6IHsKCQkiVXNlci1BZ2VudCI6ICJEb2NrZXItQ2xpZW50LzE4LjA5LjYgKGxpbnV4KSIKCX0KfQ==
type: kubernetes.io/dockerconfigjson

创建

1
2
[root@k8s-master1 ~]# kubectl create -f registry-pull-secret.yaml 
secret/registry-pull-secret created

查看生成的凭据

1
2
3
4
[root@k8s-master1 ~]# kubectl get secret
NAME                   TYPE                                  DATA   AGE
default-token-6d4mx    kubernetes.io/service-account-token   3      6d20h
registry-pull-secret   kubernetes.io/dockerconfigjson        1      34s

下面是生成yaml文件,增加imagePullSecrets:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[root@k8s-master1 ~]# vim tomcat-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: tomcat
  name: tomcat
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      imagePullSecrets:
      - name: registry-pull-secret
      containers:
      - image: 192.168.3.187/project/tomcat
        imagePullPolicy: Always
        name: tomcat
        ports:
        - containerPort: 8080

---

apiVersion: v1
kind: Service
metadata:
  name: tomcat-service
  labels:
    app: tomcat
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: tomcat

更新私有仓库tomcat

1
[root@k8s-master1 ~]# kubectl apply -f tomcat-deployment.yaml

查看

1
2
3
4
5
[root@k8s-master2 ~]# kubectl get pod
NAME                        READY   STATUS    RESTARTS   AGE
tomcat-5986778c5c-29t75     1/1     Running   0          6m14s
tomcat-5986778c5c-hgr52     1/1     Running   0          24s
tomcat-5986778c5c-hnjh8     1/1     Running   0          19m
-------------本文结束感谢您的阅读-------------