kubernetes 拉取私有镜像 imagepullsecrets

1. kubernetes 拉取私有镜像的测试

创建secret(创建方式有两钟，一种使用命令，第二种使用文件)

下面我的私有仓库如下:

• reg.k8s.test.com
• ureg.k8s.test.com

a. 修改 docker 的 /etc/docker/daemon.json 文件

在所有的 node 节点中修改 docker 的 /etc/docker/daemon.json 文件修改 insecure-registries 参数。必须包含上面上面私有仓库的地址：

{
"registry-mirrors": [ "https://registry.docker-cn.com"],
"insecure-registries":["reg.k8s.test.com","ureg.k8s.test.com","uhub.service.ucloud.cn"]
}

重启 docker 服务

systemctl restart docker

### 方法1. 使用文件生成secret

生成 ~/.docker/config.json 配置文件

[root@ip-172-31-10-110 ~]# docker login reg.k8s.test.com
Username: lvnian
Password:                       <输入密码>
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@ip-172-31-10-110 ~]# 
[root@ip-172-31-10-110 ~]# docker login ureg.k8s.test.com
Username: lvnian
Password:                       <输入密码>
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@ip-172-31-10-110 ~]# ll ~/.docker/config.json 
-rw------- 1 root root 261 Nov  8 13:21 /root/.docker/config.json

测试密码是否成功,往私有仓库 push images

[root@ip-172-31-10-110 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
f17d81b4b692: Pull complete 
82dca86e04c3: Pull complete 
046ccb106982: Pull complete 
Digest: sha256:d59a1aa7866258751a261bae525a1842c7ff0662d4f34a355d5f36826abc0341
Status: Downloaded newer image for nginx:latest
[root@ip-172-31-10-110 ~]# docker tag nginx ureg.k8s.test.com/test/nginx
[root@ip-172-31-10-110 ~]# docker push ureg.k8s.test.com/test/nginx
The push refers to repository [ureg.k8s.test.com/test/nginx]
ad9ac0e6043b: Pushed 
6ccbee34dd10: Pushed 
237472299760: Pushed 
latest: digest: sha256:427498d66ad8a3437939bb7ef613fe76458b550f6c43b915d8d4471c7d34a544 size: 948
[root@ip-172-31-10-110 ~]# docker tag nginx reg.k8s.test.com/test/nginx
[root@ip-172-31-10-110 ~]# docker push reg.k8s.test.com/test/nginx
The push refers to repository [reg.k8s.test.com/test/nginx]
ad9ac0e6043b: Layer already exists 
6ccbee34dd10: Layer already exists 
237472299760: Layer already exists 
latest: digest: sha256:427498d66ad8a3437939bb7ef613fe76458b550f6c43b915d8d4471c7d34a544 size: 948

密码没问题

获取 base64 -w 0 ~/.docker/config.json 密文

[root@ip-172-31-10-110 ~]# base64 -w 0 ~/.docker/config.json
ewoJImF1dGhjNWdlpHVnVaenB5Wld4aFFFeFdUa2xCVGtBeU1ERTMiCgkJfSwKCQkidXJlZy5rOHMueXVud2VpLnJlbGEubWUiOiB7CgkJCSJhdXRoIjogIloyRnZaM1Z2WkdWdVp6cHlaV3hoUUV4V1RrbEJUa0F5TURFMyIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDYuMS1jZSAobGludXgpIgoJfQp9[root@ip-172-31-10-110 ~]#

创建Secret

### vim secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: regsecret
  namespace: default
data:
    .dockerconfigjson: ewoJImF1dGhjNWdlpHVnVaenB5Wld4aFFFeFdUa2xCVGtBeU1ERTMiCgkJfSwKCQkidXJlZy5rOHMueXVud2VpLnJlbGEubWUiOiB7CgkJCSJhdXRoIjogIloyRnZaM1Z2WkdWdVp6cHlaV3hoUUV4V1RrbEJUa0F5TURFMyIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDYuMS1jZSAobGludXgpIgoJfQp9
type: kubernetes.io/dockerconfigjson

kubectl create -f secret.yaml \ kubectl describe Secret regsecret

创建deployment测试是否可以拉私有仓库的镜像

[root@ip-172-31-10-110 ~]#  vim test.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: dentestreplce
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: dentestreplace
    spec:
      containers:
      - name: dentestreplace 
        imagePullPolicy: Always
        image: ureg.k8s.test.com/rela_dev/logreport:latest
      imagePullSecrets:
      - name: regsecret

[root@ip-172-31-10-110 ~]# kubectl create -f test.yaml
[root@ip-172-31-10-110 ~]# kubectl describe po/dentestreplce-6f788968fb-dr768 
...
Volumes:
  default-token-tfmc8:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-tfmc8
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     <none>
Events:
  Type    Reason                 Age   From                    Message
  ----    ------                 ----  ----                    -------
  Normal  Scheduled              57s   default-scheduler       Successfully assigned dentestreplce-6f788968fb-dr768 to 172.31.40.120
  Normal  SuccessfulMountVolume  57s   kubelet, 172.31.40.120  MountVolume.SetUp succeeded for volume "default-token-tfmc8"
  Normal  Pulling                57s   kubelet, 172.31.40.120  pulling image "ureg.k8s.test.com/rela_dev/logreport:latest"
  Normal  Pulled                 15s   kubelet, 172.31.40.120  Successfully pulled image "ureg.k8s.test.com/rela_dev/logreport:latest"
  Normal  Created                15s   kubelet, 172.31.40.120  Created container
  Normal  Started                15s   kubelet, 172.31.40.120  Started container
[root@ip-172-31-10-110 ~]#

查看结果，成功。上面是使用第一个私有仓库，第二个的测试也是一样。

注意，必须要确保私有仓库中本来就有 ureg.k8s.test.com/rela_dev/logreport:latest 这个image哦

另外一个私有参考也是一样这样测试即可。

方法2:

使用命令创建Secret

命令如下：

kubectl create secret docker-registry regsecret --docker-server=ureg.k8s.test.com --docker-username=lvnian --docker-password=LVNIAN@2017 --docker-email=lvnian@rela.me

其中:

regsecret: 指定密钥的键名称, 可自行定义
--docker-server: 指定 docker 仓库地址
--docker-username: 指定docker仓库账号
--docker-password: 指定docker仓库密码
--docker-email: 指定邮件地址
-n : 命名空间，在那个命名空间创建，就只能在那个命名空间使用这个secret

其他步骤和上面的一样。