我的 DigitalOcean kubernetes 集群无法从 DigitalOcean 注册表中提取镜像。我收到以下错误消息:
Failed to pull image "registry.digitalocean.com/XXXX/php:1.1.39": rpc error: code = Unknown desc = failed to pull and unpack image
"registry.digitalocean.com/XXXXXXX/php:1.1.39": failed to resolve reference
"registry.digitalocean.com/XXXXXXX/php:1.1.39": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
我已使用 DigitalOcean 容器注册表集成添加了 kubernetes 集群,这在注册表和 kubernetes 集群的设置上均显示成功。
我可以确认上述地址 `registry.digitalocean.com/XXXX/php:1.1.39 与注册表中的地址匹配。我想知道我是否误解了 token /登录集成如何与注册表一起工作,但我的印象是这是一个“单击”的事情,并且集群会在之后自动获得与注册表的连接。
我尝试在推送之前将 helm 登录到注册表中,但这不起作用(而且我真的不希望它这样做,集群应该拉取镜像)。
我并不完全清楚应该如何使用图像拉取 secret 。
我的helm部署图基本上是API Platform默认的:
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "api-platform.fullname" . }}
labels:
{{- include "api-platform.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "api-platform.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "api-platform.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "api-platform.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}-caddy
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.caddy.image.repository }}:{{ .Values.caddy.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.caddy.image.pullPolicy }}
env:
- name: SERVER_NAME
value: :80
- name: PWA_UPSTREAM
value: {{ include "api-platform.fullname" . }}-pwa:3000
- name: MERCURE_PUBLISHER_JWT_KEY
valueFrom:
secretKeyRef:
name: {{ include "api-platform.fullname" . }}
key: mercure-publisher-jwt-key
- name: MERCURE_SUBSCRIBER_JWT_KEY
valueFrom:
secretKeyRef:
name: {{ include "api-platform.fullname" . }}
key: mercure-subscriber-jwt-key
ports:
- name: http
containerPort: 80
protocol: TCP
- name: admin
containerPort: 2019
protocol: TCP
volumeMounts:
- mountPath: /var/run/php
name: php-socket
#livenessProbe:
# httpGet:
# path: /
# port: admin
#readinessProbe:
# httpGet:
# path: /
# port: admin
resources:
{{- toYaml .Values.resources | nindent 12 }}
- name: {{ .Chart.Name }}-php
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.php.image.repository }}:{{ .Values.php.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.php.image.pullPolicy }}
env:
{{ include "api-platform.env" . | nindent 12 }}
volumeMounts:
- mountPath: /var/run/php
name: php-socket
readinessProbe:
exec:
command:
- docker-healthcheck
initialDelaySeconds: 120
periodSeconds: 3
livenessProbe:
exec:
command:
- docker-healthcheck
initialDelaySeconds: 120
periodSeconds: 3
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: php-socket
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
如何授权 kubernetes 集群从注册表中拉取?这是 helm 的事情还是 kubernetes 唯一的事情?
谢谢!
最佳答案
您遇到的问题是您没有 image pull secret供您的集群使用从注册表中提取。
您需要添加此选项,以便为您的集群提供一种授权其向集群发出请求的方法。
使用 DigitalOcean kubernetes 集成进行容器注册表
Digital ocean 提供了一种将图像拉取 secret 添加到您帐户中的 kubernetes 集群的方法。您可以在注册表的设置中将注册表链接到集群。在“DigitalOcean Kuberentes Integration”下选择编辑,然后选择要将注册表链接到的集群。
此操作将图像拉取 secret 添加到集群内的所有命名空间,并且默认情况下将使用它(除非您另外指定)。
关于Kubernetes 集群无法从 DigitalOcean 注册表中提取镜像,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73964858/