从私有仓库pull images提示pull access denied

半日闲 2020年11月16日 23次浏览

创建deploy后,pod始终显示crashbackoff,如下

journalctl -xe -u kubelt显示如下
Nov 07 23:54:24 a.b kubelet[15073]: E1107 23:54:24.349432   15073 remote_image.go:113] PullImage "registry.cn-hangzhou.aliyuncs.com/wenlong/nginx:latest" from image service failed: rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/wenlong/nginx, repository does not exist or may require 'docker login'
Nov 07 23:54:24 a.b kubelet[15073]: E1107 23:54:24.349482   15073 kuberuntime_image.go:50] Pull image "registry.cn-hangzhou.aliyuncs.com/wenlong/nginx:latest" failed: rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/wenlong/nginx, repository does not exist or may require 'docker login'
Nov 07 23:54:24 a.b kubelet[15073]: E1107 23:54:24.349559   15073 kuberuntime_manager.go:801] container start failed: ErrImagePull: rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/wenlong/nginx, repository does not exist or may require 'docker login'
Nov 07 23:54:24 a.b kubelet[15073]: E1107 23:54:24.349607   15073 pod_workers.go:191] Error syncing pod 969b0d12-9162-4f5d-b94a-a58f78b5433a ("gitea-nginx-cbbd789cc-h7vl8_default(969b0d12-9162-4f5d-b94a-a58f78b5433a)"), skipping: failed to "StartContainer" for "nginx" with ErrImagePull: "rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/wenlong/nginx, repository does not exist or may require 'docker login'"

原因:

虽然`docker login`登录时可以的,但是`k8s`集群中却没有登录凭证

解决方法:

k8s集群创建一个登录凭证,并且在pod的模板中指明凭证

  1. 创建1个secret,类型为docker-registry,名称为regcred(名称可以随意)

     kubectl create secret docker-registry regcred --docker-server=registry.cn-hangzhou.aliyuncs.com --docker-username=lwl1176456136 --docker-password=Admin12345
    
  2. 创建成功后可查看

    image-20201108130137513

    其中data字段为账号密码

    可使用如下命令,将其转化为可读形式

    kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
    

    如下

    image-20201108130339291

    其中auth字段为密码,可使用base64将其转化为可读形式

    echo "c3R...zE2" | base64 --decode
    
  3. pod的模板中指定对应的凭证

    image-20201108130557370

官方文档,可参考 https://kubernetes.io/zh/docs/tasks/configure-pod-container/pull-image-private-registry/