512.【kubernetes】办理registry私有堆栈 pull 镜像失败标题

手机游戏开发者 · 2024-9-5 07:04:14

情况分析：

我registry搭建的情况在centos7上，在出现报错之前，已经在将registry的证书放在了/etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt 目次下，效果在kubernetes集群内部 pull 镜像时，照旧出现了下面的报错：
Failed to pull image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": rpc error: code = Unknown desc = failed to pull and unpack image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to resolve reference "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to do request: Head "https://registry.xxxxxxxxx.cn/v2/xxxxxxxxx-server/manifests/0.0.11": x509: certificate signed by unknown authority

在 kubernetes 集群外部用 nerdctl pull 镜像时没标题标，能读取 /etc/containerd/certs.d/domin/domain.crt 证书，并认证乐成

这里猜测是kubernetes不会去主动读取镜像私有堆栈的证书
办理步调

cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /etc/pki/ca-trust/source/anchors/ln -s /etc/pki/ca-trust/source/anchors/registry.xxxxxxxxx.cn.crt /etc/ssl/certs/registry.xxxxxxxxx.cn.crtupdate-ca-trust systemctl restart containerd # 大概只必要这一步就可以了

先是按照centos 导入证书的操作，导入 domain.crt
再是重启 containerd。（这里我就没有继续细化去验证了，我以为不导入domain.crt ，直接重启 containerd 也能办理标题。）

OK。
[2022-12-07验证]：确实必要导入 domain.crt，直接重启 containerd 是不可的。ubuntu 证书导入步调如下：
root@OpenStack:~# cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /usr/local/share/ca-certificates/root@OpenStack:~# update-ca-certificatesUpdating certificates in /etc/ssl/certs...rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL1 added, 0 removed; done.Running hooks in /etc/ca-certificates/update.d...done.root@OpenStack:~# systemctl restart containerd.service

512.【kubernetes】办理registry私有堆栈 pull 镜像失败标题

所属分类: 问答交流

新帖推荐: 30日

推荐作品