背景:
设置仓库默认秘钥
为了避免每次使用私有镜像部署时,都需要引用密钥,您可将secret添加到namespace的default service account中,参见Add ImagePullSecrets to a service account。
否则报错
rpc error: code require 'docker login': denied: requested access to the resource is denied
本例中采用手动配置的方式,修改namespace空间的秘钥帐户hangzhou-cangku-login-secret,从而将此secret作为imagePullSecret的默认账户。
阿里云kubernets
1、选定mespace,手动在“保密字典”创建一个名称为“hangzhou-cangku-login-secret”的secret(在需要的namespace创建)
2、将创建的“hangzhou-cangku-login-secret”设定为选定namespace的默认pullSecret
kubectl patch sa default -n xxxx -p '"imagePullSecrets": [{"name": "hangzhou-cangku-login-secret" }]'
自建kubernets
1、创建名为“hangzhou-cangku-login-secret”的secret
kubectl create secret docker-registry hangzhou-cangku-login-secret --docker-server=xxxx.aliyuncs.com --docker-username=xxx@163.com --docker-password=xxxx --docker-email=xxxx
说明 regsecret:指密钥的键名称,可自定义。 --docker-server:指Docker仓库地址。 --docker-username:指Docker仓库用户名。 --docker-password:指Docker仓库登录密码。 可选:--docker-email:指邮件地址。
查看创建的secret
kubectl get secret regsecret
2、创建一个sa.yaml配置文件,将“hangzhou-cangku-login-secret”的配置导入到该文件中
kubectl get Secret hangzhou-cangku-login-secret -o yaml > ./sa.yaml
执行以下命令查看sa.yaml文件详情
cat sa.yaml apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyJyZWdpxxxxxxGl5dW5jcy5jb20iOnsidXNlcm5hbWUiOiJ5YXVqYXJAMTYzLmNvbSIsInBhc3N3b3JkIjoiVFRkank5MTEuNTAwIiwiZW1haWwiOiJ6aGFuZ3FpYW5nQG1pZHVzdC5jb20iLCJhdXRoIjoiZVdGMWFtRnlRREUyTXk1amIyMDZWRlJrYW5rNU1URXVOVEF3In19fQ== kind: Secret metadata: creationTimestamp: "2023-11-17T09:12:10Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:.dockerconfigjson: {} f:type: {} manager: kubectl operation: Update time: "2023-11-17T09:12:10Z" name: hangzhou-cangku-login-secret namespace: default resourceVersion: "2xxxx685" selfLink: /api/v1/namespaces/default/secrets/hangzhou-cangku-login-secret uid: c42cced4-e1a1-4f91-a0cd-f2xxxxa927 type: kubernetes.io/dockerconfigjson
修改sa.yml
删除resourceVersion,并增加拉取镜像的密钥配置项imagePullSecrets。修改后的配置如下所示:
apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5jbi1oYW5nemhvdS5hbGl5dW5jcy5jb20iOnsidXNlcm5hbWUiOiJ5YXVqYXJAMTYzLmNvbSIsInBhc3N3b3JkIjoiVFRkank5MTEuNTAwIiwiZW1haWwiOiJ6aGFuZ3FpYW5nQG1pZHVzdC5jb20iLCJhdXRoIjoiZVdGMWFtRnlRREUyTXk1amIyMDZWRlJrYW5rNU1URXVOVEF3In19fQ== kind: Secret metadata: creationTimestamp: "2023-11-17T09:12:10Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:.dockerconfigjson: {} f:type: {} manager: kubectl operation: Update time: "2023-11-17T09:12:10Z" name: hangzhou-cangku-login-secret namespace: default selfLink: /api/v1/namespaces/default/secrets/hangzhou-cangku-login-secret uid: c42cced4-e1a1-4f91-a0cd-f249f160a927 secrets: - name: hangzhou-cangku-login-secret imagePullSecrets: - name: hangzhou-cangku-login-secret type: kubernetes.io/dockerconfigjson
3、执行以下命令将sa.yaml配置文件替换为hangzhou-cangku-login-secret的配置并为指定的namespace的默认秘钥
kubectl patch sa default -n xxx -p '"imagePullSecrets": [{"name": "hangzhou-cangku-login-secret" }]'
参考:
https://www.alibabacloud.com/help/zh/ack/ack-managed-and-ack-dedicated/user-guide/faq-about-applications#section-b2s-ldm-84z
https://developer.aliyun.com/article/747719
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
