k8s拉取私有镜像的2种方式

目录

通过secret

01-image-pull.yaml

kind: Pod
apiVersion: v1
metadata:
     name: imagepull-nginx
     labels:
          group: imagepull
spec:
  containers:
       - name: nginx
         image: registry.cn-beijing.aliyuncs.com/hkui_dev/nginx

k apply -f  01-image-pull.yaml

[root@master0 tests]# k get po
NAME                                        READY   STATUS             RESTARTS   AGE
dashboard-metrics-scraper-b55fdfbd4-h9mkg   1/1     Running            0          11h
imagepull-nginx                             0/1     ImagePullBackOff   0          24m
kubernetes-dashboard-dfd4dbffb-749lr        1/1     Running            0          11h

查看失败原因

k describe pod imagepull-nginx

image

镜像拉取失败了,没权限

创建secret

k create secret docker-registry aliyun-docker \
--docker-server=registry.cn-beijing.aliyuncs.com \
--docker-username=your_username \
--docker-password=your_passwd

[root@master0 tests]# k get secret
NAME                              TYPE                             DATA   AGE
aliyun-docker                     kubernetes.io/dockerconfigjson   1      11h
kubernetes-dashboard-certs        kubernetes.io/tls                2      42d
kubernetes-dashboard-csrf         Opaque                           1      42d
kubernetes-dashboard-key-holder   Opaque                           2      42d

k explain pod.spec.imagePullSecrets

[root@master0 tests]# k explain pod.spec.imagePullSecrets
KIND:       Pod
VERSION:    v1

FIELD: imagePullSecrets <[]LocalObjectReference>


DESCRIPTION:
    ImagePullSecrets is an optional list of references to secrets in the same
    namespace to use for pulling any of the images used by this PodSpec. If
    specified, these secrets will be passed to individual puller implementations
    for them to use. More info:
    https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
    LocalObjectReference contains enough information to let you locate the
    referenced object inside the same namespace.

FIELDS:
  name	<string>
    Name of the referent. This field is effectively required, but due to
    backwards compatibility is allowed to be empty. Instances of this type with
    an empty value here are almost certainly wrong. More info:
    https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

修改镜像拉取策略

01-image-pull.yaml

kind: Pod
apiVersion: v1
metadata:
     name: imagepull-nginx
     labels:
          group: imagepull
spec:
  imagePullSecrets:
   - name: aliyun-docker
  containers:
       - name: nginx
         image: registry.cn-beijing.aliyuncs.com/hkui_dev/nginx

再去拉取就ok了

通过ServiceAccount

有时直接看到 imagePullSecrets 这个比较明显,让人一眼看出密码相关的信息

可通过ServiceAccount来做

02-imagepull-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
   name: 02-imagepull-sa
imagePullSecrets:
       - name: aliyun-docker

k apply -f 02-imagepull-sa.yaml

[root@master0 tests]# k get sa
NAME                   SECRETS   AGE
02-imagepull-sa        0         7h
default                0         42d
kubernetes-dashboard   0         42d

镜像拉取改为

02-imagepull-sa-pod.yaml

apiVersion: v1
kind: Pod
metadata:
   name: 02-imagepull-sa-pod
spec:
  serviceAccount: 02-imagepull-sa
  containers:
     - name: nginx
       image: registry.cn-beijing.aliyuncs.com/hkui_dev/nginx

再应用pod即可

posted @ 2025-03-20 19:30  H&K  阅读(50)  评论(0)    收藏  举报