文章描述了在CentOS和Ubuntu环境下,Kubernetes集群内部拉取私有仓库镜像时遇到的证书错误。问题在于Kubernetes无法自动识别私有仓库的证书。解决方案包括将证书导入系统信任存储,并重启containerd服务。在CentOS中,需要更新CA信任并重启containerd,而在Ubuntu中,需将证书复制到`/usr/local/share/ca-certificates`,更新CA证书,然后重启containerd。
环境说明:
我registry搭建的环境在centos7上,在出现报错之前,已经在将registry的证书放在了/etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt目录下,结果在kubernetes集群内部 pull 镜像时,还是出现了下面的报错:
Failed to pull image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": rpc error: code = Unknown desc = failed to pull and unpack image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to resolve reference "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to do request: Head "https://registry.xxxxxxxxx.cn/v2/xxxxxxxxx-server/manifests/0.0.11": x509: certificate signed by unknown authority
- 在 kubernetes 集群外部用 nerdctl pull 镜像时没问题的,能读取
/etc/containerd/certs.d/domin/domain.crt证书,并认证成功
这里猜测是kubernetes不会去自动读取镜像私有仓库的证书
解决步骤
cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /etc/pki/ca-trust/
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
