Here is an introduction to pulling private repository images through secret configuration.
If you do not set it, when you create an RC pull image, you will be prompted that the image cannot be found, and the following error will be reported:
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
49s 49s 1 {default-scheduler } Normal Scheduled Successfully assigned webapp-xq03t to master
48s 11s 3 {kubelet master} spec.containers{webapp} Normal Pulling pulling image "e5:8889/tomcat"
48s 11s 3 {kubelet master} spec.containers{webapp} Warning Failed Failed to pull image "e5:8889/tomcat": Error: image tomcat:latest not found
48s 11s 3 {kubelet master} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "webapp" with ErrImagePull: "Error: image tomcat:latest not found"
47s 0s 3 {kubelet master} spec.containers{webapp} Normal BackOff Back-off pulling image "e5:8889/tomcat"
47s 0s 3 {kubelet master} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "webapp" with ImagePullBackOff: "Back-off pulling image \"e5:8889/tomcat\""
create secret
kubectl create secret docker-registry registrysecret --docker-server=e5:8889 \
--docker-username=admin --docker-password=xxxx [email protected]
Using secret in RC
apiVersion: v1
kind: ReplicationController
metadata:
name: webapp
spec:
replicas: 2
template:
metadata:
name: webapp
labels:
app: webapp
spec:
containers:
- name: webapp
imagePullPolicy: Always
image: e5:8889/tomcat:latest
ports:
- containerPort: 80
imagePullSecrets:
- name: registrysecret
The key lies in imagePullSecrets .
If this is the only case, it is too cumbersome to add these 2 lines of configuration every time you write a yaml script.
We need to make it automatically available for download from private repositories by default and it is a few steps away.
Configure default rules
Set the key to the default account of k8s:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registrysecret"}]}'
View the default account configuration:
kubectl get serviceaccounts default -o yaml
Take a look at the detailed configuration of the default account:
apiVersion: v1
imagePullSecrets:
- name: registrysecret
kind: ServiceAccount
metadata:
creationTimestamp: 2018-03-11T15:28:06Z
name: default
namespace: default
resourceVersion: "997965"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: cc20a274-2540-11e8-8755-3497f600e8ed
secrets:
- name: default-token-5qvkp
We found that it has been added imagePullSecrets
, so that we don't need to add this configuration to each yaml script in the future, it will be added automatically.
Different namespace namespace secrets are isolated , only the default namespace is demonstrated here.
PS: It should be noted that ServiceAccount must be activated here , otherwise an error will be reported.