从私有注册表中拉出时自动使用秘密 [英] Automatically use secret when pulling from private registry

问题描述

是否可以全局(或至少每个名称空间)配置kubernetes，使其在连接到私有存储库时始终使用映像拉密钥? 有两种用例:

Is it possible to globally (or at least per namespace), configure kubernetes to always use an image pull secret when connecting to a private repo? There are two use cases:

1. 当用户在部署中的私有注册表中指定容器时
2. 当用户在我们的私人仓库中指向Helm图表时(因此我们无法控制图片提取秘密标签).

我知道可以在服务上进行此操作帐户基础，但是如果不编写控制器将其添加到创建的每个新服务帐户中，则会有些混乱.

I know it is possible to do this on a service account basis but without writing a controller to add this to every new service account created it would get a bit of a mess.

是否有办法全局设置此值，因此，如果kube尝试从注册表X中提取，它会使用秘密Y?

Is there are way to set this globally so if kube tries to pull from registry X it uses secret Y?

谢谢

推荐答案

据我所知，通常默认 serviceAccount负责提取图像. 要将imagePullSecrets轻松添加到serviceAccount，可以使用 patch命令:

As far as I know, usually the default serviceAccount is responsible for pulling the images. To easily add imagePullSecrets to a serviceAccount you can use the patch command:

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "mySecret"}]}'

可以在脚本中使用kubectl patch，该脚本会在所有命名空间的serviceAccounts上插入imagePullSecrets.

It's possible to use kubectl patch in a script that inserts imagePullSecrets on serviceAccounts across all namespaces.

如果管理多个名称空间太复杂，可以查看 kubernetes-replicator ，它可以在名称空间之间同步资源.

If it´s too complicated to manage multiple namespaces you can have look at kubernetes-replicator, which syncs resources between namespaces.

解决方案2:
文档的本部分说明了如何在节点上设置私有注册表:

Solution 2:
This section of the doc explains how you can set the private registry on a node basis:

以下是建议的步骤，用于配置您的节点以使用 私人注册表.在此示例中，在您的台式机/笔记本电脑上运行它们:

Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:

1. 为要使用的每组凭据运行docker login [server].这将更新$HOME/.docker/config.json.
2. 在编辑器中查看$HOME/.docker/config.json以确保它仅包含您要使用的凭据.

3. 获取您的节点列表，例如:

1. Run docker login [server] for each set of credentials you want to use. This updates $HOME/.docker/config.json.
2. View $HOME/.docker/config.json in an editor to ensure it contains just the credentials you want to use.

3. Get a list of your nodes, for example:

• 如果需要名称:
  nodes = $(kubectl获取节点-o jsonpath ='{range.items [*].metadata} {.name} {end}')

• If you want the names:
  nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')

如果要获取IP:
nodes = $(kubectl获取节点-o jsonpath ='{range .items [*].status.addresses [?(@.type =="ExternalIP")]} {.address} {end}')

If you want to get the IPs:
nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')

将本地.docker/config.json复制到上面的搜索路径列表之一.例如:

Copy your local .docker/config.json to one of the search paths list above. for example:

对于$ nodes中的n；做scp〜/.docker/config.json root @ $ n:/var/lib/kubelet/config.json;完成

for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done

解决方案3:
我发现不需要基于Deployment/serviceAccount设置imagePullSecret的一种方法(非常脏！)是:

Solution 3:
A (very dirty!) way I discovered to not need to set up an imagePullSecret on a deployment / serviceAccount basis is to:

1. 设置ImagePullPolicy:IfNotPresent
2. 在每个节点中拉图像
   2.1.手动使用docker pull myrepo/image:tag.
   2.2.使用脚本或类似 docker-puller 之类的工具来自动化该过程.

1. Set ImagePullPolicy: IfNotPresent
2. Pulling the image in each node
   2.1. manually using docker pull myrepo/image:tag.
   2.2. using a script or a tool like docker-puller to automate that process.

好吧，我想我不需要解释这有多丑.

Well, I think I don't need to explain how ugly is that.

PS :如果有帮助，我发现了一个问题在kubernetes/kops上，介绍了为私有注册表创建全局配置的功能.

PS: If it helps, I found an issue on kubernetes/kops about the feature of creating a global configuration for private registry.

这篇关于从私有注册表中拉出时自动使用秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！