您当前的位置: 首页 > 慢生活 > 程序人生 网站首页程序人生
40、存储 Secret(2)
发布时间:2023-01-01 13:06:43编辑:雪饮阅读()
Step1
将我们之前搭建的那个harbor服务器启动起来
并启动harbor的服务
[root@hub ~]# systemctl start docker
[root@hub ~]# cd /usr/local/harbor
[root@hub harbor]# docker-compose start
然后我们登录到harbor的web界面
这里有点小坑,由于我正在用夸克网盘下载东西,磁盘占用率过高,导致这里一直进不去。
出现nginx的那个502错误。。。
然后我把我并行下载数调整为1就ok了
登录的账号还是之前的
admin/Harbor12345
然后在我们项目这里三个点这个地方设置访问级别为私有
然后就变成私有的访问级别了
那么其实我们这里之前是只有一个v1的tag
这个v1是我们之前推的
然后我们在master节点拉取一个别的仓库的同样是myapp(这个可能不是强制的)的v2(是不是叫v2不重要,反正本地tag重命名后为v2进行push)的tag,然后推送到咱们这个项目上也做v2的tag
[root@k8s-master01 ~]# docker pull wangyanglinux/myapp:v2
v2: Pulling from wangyanglinux/myapp
550fe1bea624: Pull complete
af3988949040: Pull complete
d6642feac728: Pull complete
c20f0a205eaa: Pull complete
fe78b5db7c4e: Pull complete
Digest: sha256:85a2b81a62f09a414ea33b74fb8aa686ed9b168294b26b4c819df0be0712d358
Status: Downloaded newer image for wangyanglinux/myapp:v2
docker.io/wangyanglinux/myapp:v2
[root@k8s-master01 ~]# docker tag wangyanglinux/myapp:v2 hub.atguigu.com/library/myapp:v2
[root@k8s-master01 ~]# docker push hub.atguigu.com/library/myapp:v2
The push refers to repository [hub.atguigu.com/library/myapp]
05a9e65e2d53: Preparing
68695a6cfd7d: Preparing
c1dc81a64903: Preparing
8460a579ab63: Preparing
d39d92664027: Preparing
denied: requested access to the resource is denied
可见是需要权限的,应是因为私有访问级别的原因咯
[root@k8s-master01 ~]# docker login hub.atguigu.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-master01 ~]# docker push hub.atguigu.com/library/myapp:v2
The push refers to repository [hub.atguigu.com/library/myapp]
05a9e65e2d53: Pushed
68695a6cfd7d: Layer already exists
c1dc81a64903: Layer already exists
8460a579ab63: Layer already exists
d39d92664027: Layer already exists
v2: digest: sha256:5f4afc8302ade316fc47c99ee1d41f8ba94dbe7e3e7747dd87215a15429b9102 size: 1362
果然这样就推送成功了。
然后我切换到node01节点上竟然能拉取成功?
[root@k8s-node01 ~]# docker pull hub.atguigu.com/library/myapp:v2
v2: Pulling from library/myapp
我node01节点上刚才查看了是没有这个镜像的,所以应该也不算是node01节点上对这个镜像有本地缓存的原因。
于是我把刚拉的这个镜像删除掉
[root@k8s-node01 ~]# docker rmi hub.atguigu.com/library/myapp:v2
Untagged: hub.atguigu.com/library/myapp:v2
其实就是因为这个节点之前可能登录过这个harbor,也可能是刚才master登录时候,节点1这里就正好给同步登录了吧。。。
不管什么原因,先退出登录再试试
[root@k8s-node01 ~]# docker logout hub.atguigu.com
Removing login credentials for hub.atguigu.com
[root@k8s-node01 ~]# docker pull hub.atguigu.com/library/myapp:v2
Error response from daemon: pull access denied for hub.atguigu.com/library/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
看来果然是这样咯。
然后你会发现这个时候就算你再登录上也拉取不了
[root@k8s-node01 ~]# docker login hub.atgui.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node01 ~]# docker pull hub.atguigu.com/library/myapp:v2
Error response from daemon: pull access denied for hub.atguigu.com/library/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
这个问题其实也很好解决,就是systemctl restart docker重启下docker服务。。。
[root@k8s-node01 ~]# systemctl restart docker
[root@k8s-node01 ~]# docker pull hub.atguigu.com/library/myapp:v2
Error response from daemon: pull access denied for hub.atguigu.com/library/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
[root@k8s-node01 ~]# docker login hub.atguigu.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node01 ~]# docker pull hub.atguigu.com/library/myapp:v2
v2: Pulling from library/myapp
Digest: sha256:5f4afc8302ade316fc47c99ee1d41f8ba94dbe7e3e7747dd87215a15429b9102
Status: Downloaded newer image for hub.atguigu.com/library/myapp:v2
hub.atguigu.com/library/myapp:v2
Step2
接着我们在master节点和刚才的node01节点都将刚才的这个私有的myapp:v2干掉
docker rmi hub.atguigu.com/library/myapp:v2
master可能不用,不太清楚,但这里谨慎点。
保证我们本地除了harbor外都没有这个myapp:v2这个来自于hub.atguigu.com的镜像
然后清理下我们之前部署的deployment…(pod也建议清理下,这样下去未必你自定义的一些pod都全部清理完了,这样只能清理由deployment部署的pod)
[root@k8s-master01 reg]# kubectl delete deployment --all
deployment.extensions "my-nginx" deleted
deployment.extensions "pod-deployment" deleted
然后创建一个简单的pod,引用我们刚才私有的hub.atguigu.com/test/myapp:v2镜像
[root@k8s-master01 reg]# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: hub.atguigu.com/test/myapp:v2
[root@k8s-master01 reg]# kubectl create -f pod.yaml
pod/foo created
可以发现拉取镜像失败
[root@k8s-master01 reg]# kubectl get pod
NAME READY STATUS RESTARTS AGE
foo 0/1 ImagePullBackOff 0 69s
查看错误详情
[root@k8s-master01 reg]# kubectl describe pod foo
Name: foo
Namespace: default
Priority: 0
Node: k8s-node02/192.168.66.21
Start Time: Sun, 01 Jan 2023 12:29:10 +0800
Labels: <none>
Annotations: <none>
Status: Pending
IP: 10.224.2.162
Containers:
foo:
Container ID:
Image: hub.atguigu.com/test/myapp:v2
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-d8kh2 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-d8kh2:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-d8kh2
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m23s default-scheduler Successfully assigned default/foo to k8s-node02
Normal BackOff 64s (x6 over 2m22s) kubelet, k8s-node02 Back-off pulling image "hub.atguigu.com/test/myapp:v2"
Normal Pulling 51s (x4 over 2m23s) kubelet, k8s-node02 Pulling image "hub.atguigu.com/test/myapp:v2"
Warning Failed 51s (x4 over 2m22s) kubelet, k8s-node02 Failed to pull image "hub.atguigu.com/test/myapp:v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for hub.atguigu.com/test/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Warning Failed 51s (x4 over 2m22s) kubelet, k8s-node02 Error: ErrImagePull
Warning Failed 40s (x7 over 2m22s) kubelet, k8s-node02 Error: ImagePullBackOff
就是因为私有的,k8s不能直接拉取了。
不,上面的那个简单pod的镜像地址应该改成这样。。。
[root@k8s-master01 reg]# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: hub.atguigu.com/library/myapp:v2
然后拉取失败原因应该是这样
[root@k8s-master01 reg]# kubectl describe pod foo
Name: foo
Namespace: default
Priority: 0
Node: k8s-node02/192.168.66.21
Start Time: Sun, 01 Jan 2023 12:56:26 +0800
Labels: <none>
Annotations: <none>
Status: Pending
IP: 10.224.2.172
Containers:
foo:
Container ID:
Image: hub.atguigu.com/library/myapp:v2
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-d8kh2 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
default-token-d8kh2:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-d8kh2
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 63s default-scheduler Successfully assigned default/foo to k8s-node02
Normal Pulling 19s (x3 over 63s) kubelet, k8s-node02 Pulling image "hub.atguigu.com/library/myapp:v2"
Warning Failed 19s (x3 over 63s) kubelet, k8s-node02 Failed to pull image "hub.atguigu.com/library/myapp:v2": rpc error: code = Unknown desc = Error response from daemon: pull access denied for hub.atguigu.com/library/myapp, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Warning Failed 19s (x3 over 63s) kubelet, k8s-node02 Error: ErrImagePull
Normal BackOff 8s (x3 over 62s) kubelet, k8s-node02 Back-off pulling image "hub.atguigu.com/library/myapp:v2"
Warning Failed 8s (x3 over 62s) kubelet, k8s-node02 Error: ImagePullBackOff
中间我还排查了node02节点重启了node02节点的docker服务(这个应该是没有问题,因为刚才节点1就出现了登录上也不能拉取的情况)
当然master节点我也重启了docker服务(master这里应该是不用重启的,毕竟污点策略导致一般不会在master上直接拉取镜像)
Master重启docker后k8s就挂掉了,还要再重启下kubelet
systemctl restart kubelet
那么再次回到现在的错误,还就是私有访问级别的原因。
那么接下来我们将harbor的登录账号和密码创建一个secret
[root@k8s-master01 reg]# kubectl create secret docker-registry myregistrykey --docker-server=hub.atguigu.com --docker-username=admin --docker-password=Harbor12345 --docker-email=kasumi@gmail.com
secret/myregistrykey created
这里这个email其实可以瞎编的,至少目前我是没有看到有什么影响的。
然后删除之前创建的pod
[root@k8s-master01 reg]# kubectl delete pod --all
pod "foo" deleted
然后将这个新建的secret注入到pod拉取策略的docker的secret拉取策略的账号配置中
[root@k8s-master01 reg]# cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: foo
spec:
containers:
- name: foo
image: hub.atguigu.com/library/myapp:v2
imagePullSecrets:
- name: myregistrykey
再次创建pod就没有问题了
[root@k8s-master01 reg]# kubectl create -f pod.yaml
pod/foo created
[root@k8s-master01 reg]# kubectl get pod
NAME READY STATUS RESTARTS AGE
foo 1/1 Running 0 5s
关键字词:存储,Secret
上一篇:39、存储 Secret(1)
下一篇:42.存储 Volume(2)