在不使用 imagePullSecrets 的情况下从 kubernetes 中的私有存储库中提取图像 [英] Pulling images from private repository in kubernetes without using imagePullSecrets

问题描述

我是 kubernetes 部署的新手，所以我想知道是否可以在部署 yaml 文件中不使用 imagePullSecrets 的情况下从私有存储库中提取图像，或者是否必须创建 docker 注册表密钥并通过imagePullSecrets 中的秘密.我还考虑将 imagePullSecrets 添加到服务帐户，但这不是我想知道的要求，如果我在变量中设置凭据，kubernetes 可以使用它们来提取这些图像.还想知道它是如何实现的，并且可以参考文档提前致谢.

I am new to kubernetes deployments so I wanted to know is it possible to pull images from private repo without using imagePullSecrets in the deployment yaml files or is it mandatory to create a docker registry secret and pass that secret in imagePullSecrets. I also looked at adding imagePullSecrets to a service account but that is not the requirement I woul love to know that if I setup creds in variables can kubernetes use them to pull those images. Also wanted to know how can it be achieved and reference to a document would work Thanks in advance.

推荐答案

只要您在 Kubernetes 节点上使用 Docker(请注意，Docker 支持本身具有 最近在 Kubernetes 中被弃用)，您可以根据您的私有节点对自己节点上的 Docker 引擎进行身份验证注册表.

As long as you're using Docker on your Kubernetes nodes (please note that Docker support has itself recently been deprecated in Kubernetes), you can authenticate the Docker engine on your nodes itself against your private registry.

本质上，这归结为在您的机器上运行 docker login，然后将生成的凭证 JSON 文件直接复制到您的节点上.当然，这只有在您可以直接控制节点配置时才有效.

Essentially, this boils down to running docker login on your machine and then copying the resulting credentials JSON file directly onto your nodes. This, of course, only works if you have direct control over your node configuration.

参见 文档了解更多信息:

如果您在节点上运行 Docker，则可以将 Docker 容器运行时配置为对私有容器注册表进行身份验证.

If you run Docker on your nodes, you can configure the Docker container runtime to authenticate to a private container registry.

如果您可以控制节点配置，这种方法是合适的.

This approach is suitable if you can control node configuration.

Docker 将私有注册表的密钥存储在 $HOME/.dockercfg 或 $HOME/.docker/config.json 文件中.如果您将相同的文件放在下面的搜索路径列表中，kubelet 会在拉取图像时使用它作为凭证提供者.

Docker stores keys for private registries in the $HOME/.dockercfg or $HOME/.docker/config.json file. If you put the same file in the search paths list below, kubelet uses it as the credential provider when pulling images.

• {--root-dir:-/var/lib/kubelet}/config.json
• {kubelet 的 cwd}/config.json
• ${HOME}/.docker/config.json
• /.docker/config.json
• {--root-dir:-/var/lib/kubelet}/.dockercfg
• {kubelet 的 cwd}/.dockercfg
• ${HOME}/.dockercfg
• /.dockercfg

注意:您可能需要在 kubelet 进程的环境中显式设置 HOME=/root.

Note: You may have to set HOME=/root explicitly in the environment of the kubelet process.

以下是配置节点以使用私有注册表的推荐步骤.在本例中，在您的台式机/笔记本电脑上运行这些:

Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:

• 为您要使用的每组凭据运行 docker login [server].这会更新您 PC 上的 $HOME/.docker/config.json.
• 在编辑器中查看 $HOME/.docker/config.json 以确保它只包含您要使用的凭据.
• 获取节点列表；例如:
  • 如果你想要名字:nodes=$( kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}' )
  • 如果你想获取 IP 地址: nodes=$( kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP";)]}{.address} {end}' )
  • Run docker login [server] for each set of credentials you want to use. This updates $HOME/.docker/config.json on your PC.
  • View $HOME/.docker/config.json in an editor to ensure it contains just the credentials you want to use.
  • Get a list of your nodes; for example:
    • if you want the names: nodes=$( kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}' )
    • if you want to get the IP addresses: nodes=$( kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}' )

    注意:对于生产集群，请使用配置管理工具，以便您可以将此设置应用于需要它的所有节点.

    Note: For production clusters, use a configuration management tool so that you can apply this setting to all the nodes where you need it.

    这篇关于在不使用 imagePullSecrets 的情况下从 kubernetes 中的私有存储库中提取图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！