获得"x509:由未知授权机构签名的证书".即使使用"--insecure-skip-tls-verify" Kubernetes中的选项 [英] Getting "x509: certificate signed by unknown authority" even with "--insecure-skip-tls-verify" option in Kubernetes

问题描述

我有一个在Linux VM(10.78.0.228:5000)上运行的私有Docker映像注册表，在一个运行Centos Linux 7的不同VM上运行的Kubernetes主服务器.

我使用以下命令创建了一个POD:
kubectl create --insecure-skip-tls-verify -f monitorms-rc.yml

我明白了:

sample monitorms-mmqhm 0/1 ImagePullBackOff 0 8m

，并在运行时: kubectl describe pod monitorms-mmqhm --namespace=sample

警告失败无法拉出图像"10.78.0.228:5000/monitorms": 来自守护程序的错误响应:{"message":"Get https://10.78.0.228:5000/v1/_ping :x509:证书由未知签名 权限"}

通过--insecure-skip-tls-verify时，Kubernetes是否不应该在POD创建期间忽略所有操作的服务器证书?

如果没有，我如何使它在拉docker映像时忽略tls验证?

PS:

Kubernetes版本:

客户端版本:v1.5.2 服务器版本:v1.5.2

我在这里提出了这个问题: https://github.com/kubernetes/kubernetes/Issues/43924

解决方案

您看到的问题实际上是一个docker问题.使用--insecure-skip-tls-verify是kubectl的有效参数，但仅处理kubectl与kubernetes API服务器之间的连接.您看到的错误实际上是因为docker守护进程无法登录到私有注册表，因为它使用的证书是未签名的.

看看 Docker不安全的注册表文档，这应该可以解决您的问题. /p>

I have a private Docker image registry running on a Linux VM (10.78.0.228:5000) and a Kubernetes master running on a different VM running Centos Linux 7.

I used the below command to create a POD:
kubectl create --insecure-skip-tls-verify -f monitorms-rc.yml

I get this:

sample monitorms-mmqhm 0/1 ImagePullBackOff 0 8m

and upon running: kubectl describe pod monitorms-mmqhm --namespace=sample

Warning Failed Failed to pull image "10.78.0.228:5000/monitorms": Error response from daemon: {"message":"Get https://10.78.0.228:5000/v1/_ping: x509: certificate signed by unknown authority"}

Isn't Kubernetes supposed to ignore the server certificate for all operations during POD creation when the --insecure-skip-tls-verify is passed?

If not, how do I make it ignore the tls verification while pulling the docker image?

PS:

Kubernetes version :

Client Version: v1.5.2 Server Version: v1.5.2

I have raised this issue here: https://github.com/kubernetes/kubernetes/issues/43924

解决方案

The issue you're seeing is actually a docker issue. Using --insecure-skip-tls-verify is a valid arg to kubectl, but it only deals with the connecition between kubectl and the kubernetes API server. The error you're seeing is actually because the docker daemon cannot login to the private registry because the cert it's using in unsigned.

Have a look at the Docker insecure registry docs and this should solve your problem.

这篇关于获得"x509:由未知授权机构签名的证书".即使使用"--insecure-skip-tls-verify" Kubernetes中的选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！