How does kubernetes use harbor to pull private images

harbor Build

7. harbor coordination kubernetes Use

7.1 k8s The way to pull the image

Always： When the container fails , from Kubelet Restart the container automatically .RestartPolicy The default value of .
OnFailure： When the container stops running and the exit code is not 0 When by Kubelet restart .
Never： In any case ,Kubelet Will not restart the container .

 Be careful , Restart here refers to  Pod  Where  Node  Local restart above , It will not be dispatched to other  Node  Up .

7.2 Use the private image warehouse to pull the image

7.2.1 k8s-node Node add validation

take harbor The following three files on the server are distributed to kubernetes Clustered node node /etc/docker/certs.d/10.50.10.185/ This catalog

1. Server certificate （10.50.10.185.cert）
2. secret key （10.50.10.185.key）
3. CA file （ca.crt）

7.2.2 Pull out the mirror image

stay node Node execution

docker pull 10.50.10.185/harbortest/nginx:latest

If you can successfully pull the representative node The certificate of the node is valid

7.2.3 Create a docker registry secret

Use private warehouses

kubectl create secret docker-registry regsecret --docker-server=https://10.50.10.185 --docker-username=admin --docker-password=Harb2323 --docker-email=[email protected]

Use Azure Container Registry（ACR）： https://kubernetes.feisky.xyz/concepts/objects/pod

ACR_NAME=dregistry
SERVICE_PRINCIPAL_NAME=acr-service-principal

# Populate the ACR login server and resource id.
ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --query loginServer --output tsv)
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Create a contributor role assignment with a scope of the ACR resource.
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role Reader --scopes $ACR_REGISTRY_ID --query password --output tsv)

# Get the service principle client id.
CLIENT_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)

# Create secret
kubectl create secret docker-registry acr-auth --docker-server $ACR_LOGIN_SERVER --docker-username $CLIENT_ID --docker-password $SP_PASSWD --docker-email [email protected]

7.2.4 quote docker registry secret Two ways

Directly in pod I quote

apiVersion: v1
kind: Pod
metadata:
  name: harbor-test
spec:
  containers:
    - name: harbor-test
      image: 10.50.10.185/harbortest/nginx:latest
  imagePullSecrets:
    - name: regsecret

secret Add to service account in s And pass ervice account quote

Obviously, if secret Add to sa in , There is another layer of abstraction , Not in each pod perhaps deployment Each of the container Write it all down imagePullSecrets. And it shields the details from the user . Users don't need to care

 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regsecret"}]}'
 
  /opt/k8s]#kubectl get sa -oyaml
apiVersion: v1
items:
- apiVersion: v1
  imagePullSecrets:
  - name: regsecret
  kind: ServiceAccount
  metadata:
    creationTimestamp: "2022-03-18T12:31:44Z"
    name: default
    namespace: default
    resourceVersion: "4202955"
    uid: a9b88295-630e-4121-94e1-ab53a17f4f49
  secrets:
  - name: default-token-qvnrc
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

actual combat

Use deployment Deploy nginx

apiVersion: apps/v1
kind: Deployment
metadata:
  name: harbor-test
  labels:
    app: nginx
spec:
  replicas: 10
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        #image: nginx:latest
		image: 10.50.10.185/harbortest/nginx:latest
        ports:
        - containerPort: 80

image The field must be written harbor The full path , Otherwise, the default source will be used to pull the image