Previously, I shared the Harbor series articles in my column Harbor dictionary.
In this issue, we will continue to share how to pull private images in Harbor in k8s's container.
We can pull public images in Harbor at will, but some private images cannot be pulled directly. We can use the Secret resource object to pull private images. The following are the detailed steps.
Harbor Address: https://192.168.2.250:443
Harbor user: admin
Harbor password: Harbor 12345
At the end of the paper, record the problems encountered and solutions!
1. Log in to Harbor
After successful login, it will be displayed in ~ / docker/config. The login information is recorded in the JSON file, and then a Secret is created based on the information. The container specifies the Secret through imagePullSecret to realize authentication, so as to pull the private image.
If you fail to log in to Harbor, please check the problem solving column.
# docker login -u admin -p Harbor12345 192.168.2.250:443 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded //Login succeeded # cat ~/.docker/config.json { "auths": { "192.168.2.250:443": { "auth": "YWRtaW46SGFyYm9yMTIzNDU=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.8 (linux)" } }
2. Parsing key data with BASH64 encoding
Next, you need to use the parsed results when creating a Secret- w 0 means that the generated Secret key will not be converted to a line. If the default conversion is not in the correct format, an error will occur.
# cat ~/.docker/config.json | base64 -w 0 ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjIuMjUwOjQ0MyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0=
3. Create Secret image pull voucher
. The value of dockerconfigjson is the result of the parsing in step 2 (copy the result there)
# vim harbor-image-secret.yaml apiVersion: v1 kind: Secret metadata: name: harbor-pull type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxOTIuMTY4LjIuMjUwOjQ0MyI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy44IChsaW51eCkiCgl9Cn0= # kubectl apply -f harbor-image-secret.yaml secret/harbor-pull created # kubectl get secret NAME TYPE DATA AGE default-token-qqjxn kubernetes.io/service-account-token 3 13d harbor-pull kubernetes.io/dockerconfigjson 1 52s
For the method of creating secret on the command line, see kubectl create secret -h, which will not be described in detail here.
4. The private image is pulled by using the image pull Certificate in the container
Take the private image 192.168.2.250:443/muli/tomcat:8.5.34-jre8-alpine as an example.
# cat tomcat-pod1.yaml kind: Pod apiVersion: v1 metadata: name: tomcat-v2.3.1 namespace: test spec: imagePullSecrets: - name: image-secret containers: - name: tomcat-po image: 192.168.2.250:443/muli/tomcat:8.5.34-jre8-alpine imagePullPolicy: IfNotPresent # kubectl apply -f tomcat-pod1.yaml pod/tomcat-v2.3.1 created # kubectl get pods NAME READY STATUS RESTARTS AGE tomcat-v2.3.1 1/1 Running 0 20h
5. Problems encountered
After the Pod is created, the image always fails to be pulled.
Troubleshooting:
Because the operation is performed on the master, the Pod is scheduled to the node node, but the node node has not logged in to Harbor, so the node node does not have ~ / docker/config.json file, so that the node node cannot obtain the login information when pulling the image.
terms of settlement:
To the node to which the Pod is scheduled:
# docker login -u admin -p Harbor12345 192.168.2.250:443 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded //Login succeeded
~ /. Will be generated automatically docker/config.json file, whose content is consistent with that generated by master.
In the production environment, the node to which the Pod will be scheduled is not known in advance, and the login operation can be performed on each node.