有招 - 你的生活妙招指南_妙招网

标题: 512.【kubernetes】解决registry私有仓库 pull 镜像失败问题 [打印本页]

作者: 快樂星情 时间: 2025-1-2 09:43
标题: 512.【kubernetes】解决registry私有仓库 pull 镜像失败问题
环境说明：

我registry搭建的环境在centos7上，在出现报错之前，已经在将registry的证书放在了/etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt 目录下，结果在kubernetes集群内部 pull 镜像时，还是出现了下面的报错：
Failed to pull image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": rpc error: code = Unknown desc = failed to pull and unpack image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to resolve reference "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to do request: Head "https://registry.xxxxxxxxx.cn/v2/xxxxxxxxx-server/manifests/0.0.11": x509: certificate signed by unknown authority

在 kubernetes 集群外部用 nerdctl pull 镜像时没问题的，能读取 /etc/containerd/certs.d/domin/domain.crt 证书，并认证成功

这里猜测是kubernetes不会去自动读取镜像私有仓库的证书
解决步骤

cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /etc/pki/ca-trust/source/anchors/ln -s /etc/pki/ca-trust/source/anchors/registry.xxxxxxxxx.cn.crt /etc/ssl/certs/registry.xxxxxxxxx.cn.crtupdate-ca-trust systemctl restart containerd # 可能只需要这一步就可以了

先是按照centos 导入证书的操作，导入 domain.crt
再是重启 containerd。（这里我就没有继续细化去验证了，我觉得不导入domain.crt ，直接重启 containerd 也能解决问题。）

OK。
[2022-12-07验证]：确实需要导入 domain.crt，直接重启 containerd 是不行的。ubuntu 证书导入步骤如下：
root@OpenStack:~# cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /usr/local/share/ca-certificates/root@OpenStack:~# update-ca-certificatesUpdating certificates in /etc/ssl/certs...rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL1 added, 0 removed; done.Running hooks in /etc/ca-certificates/update.d...done.root@OpenStack:~# systemctl restart containerd.service

欢迎光临有招 - 你的生活妙招指南_妙招网 (https://www.yoozhao.com/)