从私有注册表中提取时自动使用机密 [英] Automatically use secret when pulling from private registry
问题描述
是否可以全局(或至少每个命名空间)将 kubernetes 配置为在连接到私有存储库时始终使用映像拉取密钥?有两个用例:
Is it possible to globally (or at least per namespace), configure kubernetes to always use an image pull secret when connecting to a private repo? There are two use cases:
- 当用户在我们的私有注册表中指定一个部署的容器时
- 当用户将 Helm 图表指向我们的私人存储库时(因此我们无法控制图像拉取秘密标签).
我知道可以在 服务上执行此操作帐户基础,但如果不编写控制器将其添加到每个新创建的服务帐户中,就会有点混乱.
I know it is possible to do this on a service account basis but without writing a controller to add this to every new service account created it would get a bit of a mess.
有没有办法全局设置它,所以如果 kube 尝试从注册表 X 中提取它使用的秘密 Y?
Is there are way to set this globally so if kube tries to pull from registry X it uses secret Y?
谢谢
推荐答案
据我所知,通常default serviceAccount 负责拉取图像.要轻松地将 imagePullSecrets 添加到 serviceAccount,您可以使用 patch 命令:
As far as I know, usually the default serviceAccount is responsible for pulling the images. To easily add imagePullSecrets to a serviceAccount you can use the patch command:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "mySecret"}]}'
可以在脚本中使用 kubectl patch,在所有命名空间的 serviceAccounts 上插入 imagePullSecrets.
It's possible to use kubectl patch in a script that inserts imagePullSecrets on serviceAccounts across all namespaces.
如果管理多个命名空间太复杂,您可以查看 kubernetes-replicator, 在命名空间之间同步资源.
If it´s too complicated to manage multiple namespaces you can have look at kubernetes-replicator, which syncs resources between namespaces.
解决方案 2:
文档的这一部分 解释了如何在节点基础上设置私有注册表:
Solution 2:
This section of the doc explains how you can set the private registry on a node basis:
以下是配置节点以使用私人注册.在本例中,在您的台式机/笔记本电脑上运行这些:
Here are the recommended steps to configuring your nodes to use a private registry. In this example, run these on your desktop/laptop:
- 为您要使用的每组凭据运行
docker login [server].这会更新$HOME/.docker/config.json. - 在编辑器中查看
$HOME/.docker/config.json以确保它只包含您要使用的凭据. 获取节点列表,例如:
- Run
docker login [server]for each set of credentials you want to use. This updates$HOME/.docker/config.json. - View
$HOME/.docker/config.jsonin an editor to ensure it contains just the credentials you want to use. Get a list of your nodes, for example:
如果你想要名字:
node=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')
If you want the names:
nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')
如果您想获取 IP:
node=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')
If you want to get the IPs:
nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')
将您的本地 .docker/config.json 复制到上面的搜索路径列表之一.例如:
Copy your local .docker/config.json to one of the search paths list above. for example:
对于 $nodes 中的 n;做 scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json;完成
for n in $nodes; do scp ~/.docker/config.json root@$n:/var/lib/kubelet/config.json; done
解决方案 3:
我发现不需要在部署/服务帐户基础上设置 imagePullSecret 的(非常脏!)方法是:
Solution 3:
A (very dirty!) way I discovered to not need to set up an imagePullSecret on a deployment / serviceAccount basis is to:
- 设置 ImagePullPolicy:IfNotPresent
- 在每个节点中拉取图像
2.1.手动使用docker pull myrepo/image:tag.
2.2.使用脚本或诸如 docker-puller 之类的工具来自动化该过程.
- Set ImagePullPolicy: IfNotPresent
- Pulling the image in each node
2.1. manually usingdocker pull myrepo/image:tag.
2.2. using a script or a tool like docker-puller to automate that process.
好吧,我想我不需要解释它有多丑.
Well, I think I don't need to explain how ugly is that.
PS:如果有帮助,我发现了一个问题 在 kubernetes/kops 上关于为私有注册中心创建全局配置的功能.
PS: If it helps, I found an issue on kubernetes/kops about the feature of creating a global configuration for private registry.
这篇关于从私有注册表中提取时自动使用机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
