kubelet无法提取图像-x509:未知授权机构签署的证书 [英] kubelet failed to pull image - x509: certificate signed by unknown authority

问题描述

我正在按照"kubernetes-the-way-way-tutorial"的步骤，在Windows 7上的VMware Workstation中运行的CentOS 7.3系统的群集上安装Kubernetes 1.9.0.当我进入教程的验证阶段并尝试开始busybox部署时(

I am trying to install Kubernetes 1.9.0 on a cluster of CentOS 7.3 systems running in VMware Workstation on Windows 7, following the "kubernetes-the-hard-way tutorial". When I get to the verification stage in the tutorial and try to start the busybox deployment (https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/12-dns-addon.md), the pod status remains stuck at "ContainerCreating".

应该在Pod上运行的节点的kubelet日志显示以下错误消息:

The kubelet log for the node that the pod supposed to run on shows these error messages:

failed to get sandbox image \"gcr.io/google_containers/pause:3.0\":
failed to pull image \"gcr.io/google_containers/pause:3.0\":
failed to pull image \"gcr.io/google_containers/pause:3.0\":
httpReaderSeeker: failed open: failed to do request:
Get https://storage.googleapis.com/artifacts.google-containers.appspot.com/containers/images/sha256:f112334343777b75be77ec1f835e3bbbe7d7bd46e27b6a2ae35c6b3cfea0987c: x509: certificate signed by unknown authority

我将这两个域都添加到了/etc/docker/daemon.json中不安全的注册表列表中:

I added both of those domains to the list of insecure registries in /etc/docker/daemon.json:

{
  "insecure-registries" : ["gcr.io"],
  "insecure-registries" : ["googleapis.com"]
}

Docker能够从命令行提取图像:

Docker is able to pull the image from the command line:

docker pull gcr.io/google_containers/pause:3.0
Trying to pull repository gcr.io/google_containers/pause ...
3.0: Pulling from gcr.io/google_containers/pause
a3ed95caeb02: Pull complete
f11233434377: Pull complete
Digest: sha256:0d093c962a6c2dd8bb8727b661e2b5f13e9df884af9945b4cc7088d9350cd3ee

任何想法为何kubelet无法拉出图像?

Any ideas why the kubelet is unable to pull the image?

谢谢， TI

推荐答案

daemon.json中的语法为

"insecure-registries" : ["gcr.io" , "googleapis.com"]

另外，根据所访问的注册表，您可能必须执行" kubectl create secret docker-registry ...操作，如

"Also depending of the registries you are accessing, you may have to perform a "kubectl create secret docker-registry ..." action as explained here

最后，您可能必须通过在/etc/docker/certs.d中创建一个包含证书的新目录来将证书定义为docker，如

Finally, you may have to define the certificate to docker by creating a new directory in /etc/docker/certs.d containing the certificates as explained here

这篇关于kubelet无法提取图像-x509:未知授权机构签署的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！