Shulou(Shulou.com)06/02 Report--

1. Log in to Docker

Authenticate through the registry to extract the private image:

Docker login registry.hello.com

When prompted, enter your Docker username and password. The login process creates or updates the config.json file that contains the authorization token.

View the config.json file:

Cat / .docker/config.json

{

"auths": {

"registry.hello.com": {

"auth": "YWRtaW46YWRtaW4xMjM="

}

}

"HttpHeaders": {

"User-Agent": "Docker-Client/18.09.0 (linux)"

}

}

2. Create a key based on the existing Docker credentials

The Kubernetes cluster uses a key of type Secret docker-registry to authenticate through the container registry to extract the private image. If you have already run docker login, you can copy the credential to Kubernetes:

Kubectl create secret generic harbor\ # named harbor

-- from-file=.dockerconfigjson=/root/.docker/config.json\

-- type=kubernetes.io/dockerconfigjson

If you need more control (for example, setting a namespace or label on a new key), you can customize the key before storing the key.

Be sure to:

Set the name of the data item to .dockerconfigjson

Base64 encodes the docker file and pastes the string as the value of the field uninterrupted data [".dockerconfigjson"]

Set type to kubernetes.io/dockerconfigjson

ApiVersion: v1data: .dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5jbi1oYW5nemhvdS5hbGl5dW5jcy5jb20iOnsicGFzc3dvcmQiOiJFY29uYWdlQGs4cyIsInVzZXJuYW1lIjoiazhzQGVjb25hZ2UifX19kind: Secretmetadata: name: harbor namespace: defaulttype: kubernetes.io/dockerconfigjson

If you receive the error message `error: no objects passed to create`, this may mean that the string encoded by base64 is invalid. If you receive an error similar to `Secret "myregistrykey" is invalid: data [.dockerconfigjson]: invalid value... `, this means

The taste data has been successfully encoded as un-base64, but cannot be parsed into a `.docker/ config.json` file.

3. Quote imagePullSecrets on pod

ImagePullSecrets:

Name: harbor

4. Create a Secret using Docker configuration

Kubectl create secret docker-registry myregistrykey\-docker-server=registry.hello.com-docker-username=admin\-docker-password=admin123

Pod can only reference images in their own namespaces to pull secret, so each namespace needs to complete this process once.

5. Application scenarios

There are many solutions for configuring private warehouses. Here are some common use cases and recommended solutions.

1. The cluster runs only non-proprietary (for example, open source) images. There is no need to hide the mirror. Use public mirrors on Docker hub

No configuration is required.

On GCE or GKE, local mirrors are automatically used to improve speed and availability.

two。 The cluster runs private images that should be hidden from users outside the company, but are visible to all cluster users.

Use a hosted Docker repository. It may be hosted on Docker Hub, or somewhere else. Manually configure .docker / config.json on each node as described above.

Alternatively, run the internal private warehouse behind the firewall and turn on read access. No Kubernetes configuration is required.

Or, on GCE or GKE, use the project's Google container repository. Cluster auto-scaling works better than manual node configuration.

Alternatively, use imagePullSecrets on clusters where it is not convenient to change the node configuration.

3. Clusters with proprietary mirrors, some of which require stricter access controls.

Make sure the AlwaysPullImages admission controller is turned on. Otherwise, all pod may access all mirrors.

Move sensitive data to a "Secret" resource instead of packaging it into a mirror.

4. Multi-tenant clusters, each tenant needs its own private warehouse.

Make sure the AlwaysPullImages admission controller is turned on. Otherwise, all pod may access all mirrors.

Run a private warehouse that requires authorization. Generate warehouse credentials for each tenant, convert them to secret, and populate the secret into each tenant namespace.

The tenant adds the secret to the imagePullSecrets of each namespace.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.