问题陈述
约束条件
我遵循了这些链接中的一些说明(不知道这样做是否正确)
创建通过Kubernetes签名的证书
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
ST = oh
L = cincinnati
O = engg
OU = prod
CN = prateek.svc.cluster.local
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = registry.prateek.svc.cluster.local
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: registry.prateek
spec:
groups:
- system:authenticated
request: $(cat server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
kubectl describe csr registry.prateek
Name: registry.prateek
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certificates.k8s.io/v1beta1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"registry.prateek","namespace":""},"spec":{"groups":["system:authenticated"],"request":"LS0sdfsfsdsfd=","usages":["digital signature","key encipherment","server auth"]}}
CreationTimestamp: Thu, 11 Apr 2019 11:15:42 -0400
Requesting User: docker-for-desktop
Status: Pending
Subject:
Common Name: prateek.svc.cluster.local
Serial Number:
Organization: engg
Organizational Unit: prod
Country: US
Locality: cincinnati
Province: oh
Subject Alternative Names:
DNS Names: registry.prateek.svc.cluster.local
Events: <none>
启动注册表内部服务
注册表 secret 文件
apiVersion: v1
kind: Secret
metadata:
name: registry-credentials
data:
certificate: <CERTIFICATE in base64>
key: <KEY in base64>
Registry-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: prateek
labels:
app: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
containers:
- name: registry
image: prateek/registry
imagePullPolicy: IfNotPresent
ports:
- containerPort: 443
env:
- name: REGISTRY_HTTP_ADDR
value: "0.0.0.0:443"
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/certificate"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/key"
volumeMounts:
- name: cert-files
mountPath: /certs
volumes:
- name: cert-files
secret:
secretName: registry-credentials
注册表服务
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: prateek
spec:
selector:
app: registry
ports:
- protocol: TCP
port: 443
targetPort: 443
type: LoadBalancer
测试注册服务已启动
curl https://registry.prateek.svc.cluster.local/v2/_catalog -k
{"repositories":["prateek/echo"]}
使用注册表服务中的镜像进行部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
namespace: cequence
labels:
app: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: registry.prateek/prateek/echo:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5678
args: ["-text=hello"]
Normal Pulling 10s (x2 over 25s) kubelet, docker-for-desktop pulling image "registry.prateek/prateek/echo:latest"
Warning Failed 10s (x2 over 25s) kubelet, docker-for-desktop Failed to pull image "registry.prateek/prateek/echo:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.prateek/v2/: Service Unavailable
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
namespace: cequence
labels:
app: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: registry.prateek.svc.cluster.local/prateek/echo:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5678
args: ["-text=hello"]
Warning Failed 1s kubelet, docker-for-desktop Failed to pull image "registry.prateek.svc.cluster.local/prateek/echo:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://registry.prateek.svc.cluster.local/v2/: Service Unavailable
我不认为这是可能的。将Docker注册表作为服务运行,并在命名空间中指向其他服务以在群集中使用该注册表部署。欢迎任何建议
最佳答案
容器守护程序正在kubernetes外部运行。
因此,如果要拉取镜像,则需要确保可以直接从节点访问注册表,而无需使用诸如服务之类的kubernetes机制。 (不像您在第9步中通过Pod测试的那样,您必须能够直接在节点上工作!)
通常的选择是创建一个DNS条目或hosts.txt条目,以指向通过hostPort(容器)或nodePort(服务)可以访问注册表或您使用适当的入口的节点。
关于docker - 是否可以在Kubernetes中启动自签名Docker注册表并将其他服务用作其注册表来获取其镜像?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/55732900/