前面可以通过ImagPullPolicy和ImageullSecrets指定下载镜像的策略,ServiceAccount也可以基于spec.imagePullSecret字段附带一个由下载镜像专用的Secret资源组成的列表,用于在容器创建时,从某个私有镜像仓库下载镜像文件之前的服务认证 。
1.创建Secrets资源这里根据自己的实际去定义即可;一定要是对方的地址和认证信息;否则无法pull/push
root@ks-master01-10:~# kubectl create secret Docker-registry > aliyun-haitang-registry > --docker-server=registry.cn-hangzhou.aliyuncs.com > --docker-username=xxxxxxx> --docker-password=xxxxxxsecret/aliyun-haitang-registry created1.1查看Secretsroot@ks-master01-10:~#kubectl describe secret aliyun-haitangName:aliyun-haitangNamespace:defaultLabels:<none>Annotations:<none>Type:kube.NETes.io/dockerconfigjsonData=https://www.isolves.com/it/cxkf/bk/2022-09-21/===.dockerconfigjson:140 bytes2.创建ServiceAccount2.1不设置任何策略,测试是否能拉取私有仓库镜像此处不配置任何镜像拉取策略,测试是否能拉取私有仓库镜像;
root@ks-master01-10:~#cat pod-serviceaccount-secret.yaml apiVersion: v1kind: Podmetadata:name: stree-serviceaccountspec:containers:- name: streeimage: registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest2.2查看Pod,处于ErrImageroot@ks-master01-10:~# kubectl get podsNAMEREADYSTATUSRESTARTSAGEstree-serviceaccount0/1ErrImagePull08s2.3describe查看Events可以看到事件,是Docker认证的问题;
root@ks-master01-10:~# kubectl describe pods stree-serviceaccountEvents:TypeReasonAgeFromMessage-------------------------NormalScheduled20sdefault-schedulerSuccessfully assigned default/stree-serviceaccount to ks-node02-12NormalBackOff17skubeletBack-off pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"WarningFailed17skubeletError: ImagePullBackOffNormalPulling2s (x2 over 19s)kubeletPulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"WarningFailed2s (x2 over 18s)kubeletFailed to pull image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/lengyuye/stress, repository does not exist or may require 'docker login': denied: requested access to the resource is deniedWarningFailed2s (x2 over 18s)kubeletError: ErrImagePull2.4创建ServiceAccountaliyun-haitang是docker-registry类型的Secrets对象,由用户提前手动创建,它可以通过键值数据提供docker仓库服务器的地址,接入服务器的用户名,密码及用户的电子邮件信息等,认证通过后,引用ServiceAccount的Pod资源即可从指定的镜像仓库下载image 。
root@ks-master01-10:~# cat serviceaccount-imagepullsecret.yaml apiVersion: v1kind: ServiceAccountmetadata:name: imagepull-aliyun-saimagePullSecrets:- name: aliyun-haitangroot@ks-master01-10:~# kubectl Apply -f serviceaccount-imagepullsecret.yaml serviceaccount/imagepull-aliyun-sa created2.5查看SAroot@ks-master01-10:~# kubectl get sa imagepull-aliyun-sa -o yamlapiVersion: v1imagePullSecrets:- name: aliyun-haitangkind: ServiceAccountmetadata:annotations:kubectl.kubernetes.io/last-applied-configuration: |{"apiVersion":"v1","imagePullSecrets":[{"name":"aliyun-haitang"}],"kind":"ServiceAccount","metadata":{"annotations":{},"name":"imagepull-aliyun-sa","namespace":"default"}}creationTimestamp: "2022-09-07T02:31:05Z"name: imagepull-aliyun-sanamespace: defaultresourceVersion: "226300"uid: fabc93b1-572c-4703-a2dd-465d4e0915cbsecrets:- name: imagepull-aliyun-sa-token-vf67z2.6Pod引用ServiceAccountroot@ks-master01-10:~# cat pod-serviceaccount-secret.yaml apiVersion: v1kind: Podmetadata:name: stree-serviceaccountspec:serviceAccount: imagepull-aliyun-sa# 这里则是创建的sa的名称containers:- name: streeimage: registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latestroot@ks-master01-10:~/rbac# kubectl apply -f pod-serviceaccount-secret.yaml pod/stree-serviceaccount created3.创建Pod测试;3.1查看Podroot@ks-master01-10:~# kubectl get podsNAMEREADYSTATUSRESTARTSAGEstree-serviceaccount1/1Running08s3.2describe查看事件root@ks-master01-10:~# kubectl describe pods stree-serviceaccountEvents:TypeReasonAgeFromMessage-------------------------NormalScheduled3m36sdefault-schedulerSuccessfully assigned default/stree-serviceaccount to ks-node02-12NormalPulling3m35skubeletPulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"NormalPulled3m33skubeletSuccessfully pulled image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest" in 1.729555429sNormalCreated3m33skubeletCreated container streeNormalStarted3m33skubeletStarted container stree
推荐阅读
- 基于 CoreDNS 和 K8s 构建云原生场景下的企业级 DNS
- 基于区块链与IPv8构建零信任新一代安全网络
- 打扫家务的古诗?关于过年之前打扫卫生的诗句
- 沱茶减肥健美功效,茶的现代功效之减肥功效
- 陈冠希|张常宁回娘家,庆父母结婚30周年!妈妈神似关之琳,52岁韵味十足
- |卞之琳多年情书,张允和为何从不表态?情书不直白,女神不敢认
- 巨鹿之战的重要影响是什么?巨鹿之战为什么奠定了基础
- 黄景瑜|黄景瑜思想自由的有趣之人,用认真敬畏表演,在反省中完成脱变
- 空调十大品牌2022排行榜 空调十大品牌之一
- ufo最真实女外星人 ufo事件真实外星人未解之谜