如何使用Kubernetes访问带有自签名证书的私有Docker注册表? [英] How do I access a private Docker registry with a self signed certificate using Kubernetes?
问题描述
当前,在使用自签名证书进行身份验证的内部网络上运行私有Docker注册表(Artifactory).
Currently, running a private Docker registry (Artifactory) on an internal network that uses a self signed certificate for authentication.
当Kubernetes启动新节点时,它无法使用私有Docker注册表进行身份验证,因为该新节点没有自签名证书.
When Kubernetes starts up a new node, it is unable to auth with the private Docker registry because this new node does not have the self signed certificate.
任何帮助将不胜感激.谢谢!
Any help would be much appreciated. Thanks!
推荐答案
CoreOS在本指南中建议了我进行广泛搜索后发现的最简单的解决方案:
The simplest solution I found after an extensive search is suggested in this guide by CoreOS : https://github.com/coreos/tectonic-docs/blob/master/Documentation/admin/add-registry-cert.md
它包括创建一个包含您的证书和DaemonSet的秘密,以将其填充到群集的所有节点上的/etc/docker/certs.d/my-private-insecure-registry.com/ca.crt中.
It consists to create a secret that contains your certificate and a DaemonSet to populate it to /etc/docker/certs.d/my-private-insecure-registry.com/ca.crt on all the nodes of your cluster.
我认为这回答了您的问题,因为在添加新节点时,DaemonSet会自动在其上执行.
I think this answers your question because, when adding a new node, the DaemonSet is automatically executed on it.
我在下面提供了详细的解决方案,但所有功劳归功于Kyle Brown(kbrwn),他的指导很酷(参见上面的链接).
I give the detailed solution below but all the credits goes to Kyle Brown (kbrwn) for his very cool guide (cf. link above).
让我们假设您的证书是工作目录中名为ca.crt的文件.从此文件内容创建秘密:
Lets suppose that your certificate is a file named ca.crt in your working directory. Create a secret from this file content :
kubectl create secret generic registry-ca --namespace kube-system --from-file=registry-ca=./ca.crt
然后,使用以下将证书作为文件/home/core/registry-ca装入的DaemonSet,并将其复制到所需的位置:/etc/docker/certs.d/reg.example.com/ca.crt.
Then, use the following DaemonSet that mounts the certificate as the file /home/core/registry-ca and copy it to the desired location : /etc/docker/certs.d/reg.example.com/ca.crt.
只需用容器注册表的主机名替换my-private-insecure-registry.com.
Simply replace my-private-insecure-registry.com with the hostname of your container registry.
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: registry-ca
namespace: kube-system
labels:
k8s-app: registry-ca
spec:
template:
metadata:
labels:
name: registry-ca
spec:
containers:
- name: registry-ca
image: busybox
command: [ 'sh' ]
args: [ '-c', 'cp /home/core/registry-ca /etc/docker/certs.d/my-private-insecure-registry.com/ca.crt && exec tail -f /dev/null' ]
volumeMounts:
- name: etc-docker
mountPath: /etc/docker/certs.d/my-private-insecure-registry.com
- name: ca-cert
mountPath: /home/core
terminationGracePeriodSeconds: 30
volumes:
- name: etc-docker
hostPath:
path: /etc/docker/certs.d/my-private-insecure-registry.com
- name: ca-cert
secret:
secretName: registry-ca
将文件另存为registry-ca-ds.yaml,然后创建DaemonSet:
Save the file as registry-ca-ds.yaml and then create the DaemonSet :
kubectl create -f registry-ca-ds.yaml
您现在可以检查您的应用程序是否可以正确地从私有的自签名注册表中提取.
You can now check that your application correctly pulls from your private self-signed registry.
如前所述,证书将由registry-ca DaemonSet自动添加到新节点的docker中.如果要避免这种情况,只需删除DaemonSet即可:
As mentioned, the certificate will be added to new nodes' docker in an automatic fashion by the registry-ca DaemonSet. If you want to avoid this, simply delete the DaemonSet :
kubectl delete ds registry-ca --namespace kube-system
我认为这比设置docker守护进程的insecure-registries标志更安全.而且,它对新节点具有弹性.
I think this is more secure than setting the insecure-registries flag of the docker daemon. Also, it is resilient to new nodes.
这篇关于如何使用Kubernetes访问带有自签名证书的私有Docker注册表?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
