kubelet无法提取图像-x509:未知授权机构签署的证书 [英] kubelet failed to pull image - x509: certificate signed by unknown authority
问题描述
我正在按照"kubernetes-the-way-way-tutorial"的步骤,在Windows 7上的VMware Workstation中运行的CentOS 7.3系统的群集上安装Kubernetes 1.9.0.当我进入教程的验证阶段并尝试开始busybox部署时(
I am trying to install Kubernetes 1.9.0 on a cluster of CentOS 7.3 systems running in VMware Workstation on Windows 7, following the "kubernetes-the-hard-way tutorial". When I get to the verification stage in the tutorial and try to start the busybox deployment (https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/12-dns-addon.md), the pod status remains stuck at "ContainerCreating".
应该在Pod上运行的节点的kubelet日志显示以下错误消息:
The kubelet log for the node that the pod supposed to run on shows these error messages:
failed to get sandbox image \"gcr.io/google_containers/pause:3.0\":
failed to pull image \"gcr.io/google_containers/pause:3.0\":
failed to pull image \"gcr.io/google_containers/pause:3.0\":
httpReaderSeeker: failed open: failed to do request:
Get https://storage.googleapis.com/artifacts.google-containers.appspot.com/containers/images/sha256:f112334343777b75be77ec1f835e3bbbe7d7bd46e27b6a2ae35c6b3cfea0987c: x509: certificate signed by unknown authority
我将这两个域都添加到了/etc/docker/daemon.json中不安全的注册表列表中:
I added both of those domains to the list of insecure registries in /etc/docker/daemon.json:
{
"insecure-registries" : ["gcr.io"],
"insecure-registries" : ["googleapis.com"]
}
Docker能够从命令行提取图像:
Docker is able to pull the image from the command line:
docker pull gcr.io/google_containers/pause:3.0
Trying to pull repository gcr.io/google_containers/pause ...
3.0: Pulling from gcr.io/google_containers/pause
a3ed95caeb02: Pull complete
f11233434377: Pull complete
Digest: sha256:0d093c962a6c2dd8bb8727b661e2b5f13e9df884af9945b4cc7088d9350cd3ee
任何想法为何kubelet无法拉出图像?
Any ideas why the kubelet is unable to pull the image?
谢谢, TI
推荐答案
daemon.json
中的语法为
"insecure-registries" : ["gcr.io" , "googleapis.com"]
另外,根据所访问的注册表,您可能必须执行" kubectl create secret docker-registry ...
操作,如
"Also depending of the registries you are accessing, you may have to perform a "kubectl create secret docker-registry ...
" action as explained here
最后,您可能必须通过在/etc/docker/certs.d
中创建一个包含证书的新目录来将证书定义为docker
,如
Finally, you may have to define the certificate to docker
by creating a new directory in /etc/docker/certs.d
containing the certificates as explained here
这篇关于kubelet无法提取图像-x509:未知授权机构签署的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!