K8S配置使用imagePullSecrets

前言

《Harbor入门篇》一文中，我们已经安装配置好了Harbor。
本文中，我们来学习一下怎样在K8S中配置使用imagePullSecrets，从Harbor或者其他私有镜像仓库拉取镜像。

参考文档：

• 从私有仓库拉取镜像

创建imagePullSecrets

创建一个docker-registry类型的secret，名字为harbor-secret

kubectl create secret docker-registry harbor-secret \
  --docker-server=harbor.voidking.com \
  --docker-username=admin \
  --docker-password=Harbor12345

使用imagePullSecrets

apiVersion: v1
kind: Pod
metadata:
  name: testpod
spec:
  containers:
  - name: busybox
    image: harbor.voidking.com/voidking/busybox:1.31
    command: 
    - sleep
    - "36000"
  imagePullSecrets:
  - name: harbor-secret

给pod添加默认imagePullSecrets

上面的配置，已经可以正常从harbor镜像仓库拉取镜像了。
但是，每个pod都需要指定一下imagePullSecrets，也是比较麻烦。
这里我们可以在命名空间默认sa中添加imagePullSecrets，这样我们就不用在pod中指定imagePullSecrets了，创建pod时会自动注入。

kubectl patch serviceaccount default \
  -p "{\"imagePullSecrets\": [{\"name\": \"docker-secret\"}]}" \
  -n <your-namespace>

全局配置imagePullSecrets

如果新增了namespace，那么这个namespace就需要单独添加一次imagePullSecrets，而且这个namespace的sa也需要添加imagePullSecrets。

这里可以使用imagepullsecret-patcher来简化我们的工作，参考文档：

• How to use imagePullSecrets cluster-wide??
• Kubernetes cluster-wide access to private container registry with imagepullsecret-patcher
• imagepullsecret-patcher
• imagepullsecret-patcher deploy-example

1、创建 sa.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: imagepullsecret-patcher
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: imagepullsecret-patcher
  namespace: imagepullsecret-patcher
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    k8s-app: imagepullsecret-patcher
  name: imagepullsecret-patcher
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  - serviceaccounts
  verbs:
  - list
  - patch
  - create
  - get
  - delete
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: imagepullsecret-patcher
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: imagepullsecret-patcher
subjects:
  - kind: ServiceAccount
    name: imagepullsecret-patcher
    namespace: imagepullsecret-patcher

2、获取 dockerconfigjson

kubectl get secret harbor-secret -oyaml

3、创建 deployment.yaml

apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
  name: image-pull-secret-src
  namespace: imagepullsecret-patcher
data:
  .dockerconfigjson: eyJhdXRocyI6eyJnY3IuaW8iOnsicGFzc3dvcmQiOiJ7XCJhdXRoXCI6e1wiZ2NyLmlvXCI6e1widXNlcm5hbWVcIjpcIl9qc29uX2tleVwiLFwicGFzc3dvcmRcIjpcInt9XCJ9fX0iLCJ1c2VybmFtZSI6Il9qc29uX2tleSJ9fX0=
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: imagepullsecret-patcher
  namespace: imagepullsecret-patcher
  labels:
    name: imagepullsecret-patcher
spec:
  replicas: 1
  selector:
    matchLabels:
      name: imagepullsecret-patcher
  template:
    metadata:
      labels:
        name: imagepullsecret-patcher
    spec:
      automountServiceAccountToken: true
      serviceAccountName: imagepullsecret-patcher
      containers:
        - name: imagepullsecret-patcher
          image: "quay.io/titansoft/imagepullsecret-patcher:v0.14"
          env:
            - name: CONFIG_FORCE
              value: "true"
            - name: CONFIG_DEBUG
              value: "false"
            - name: CONFIG_ALLSERVICEACCOUNT
              value: "true"
            - name: CONFIG_DOCKERCONFIGJSONPATH
              value: "/app/secrets/.dockerconfigjson"
            - name: CONFIG_SECRETNAME
              value: "harbor-secret"
          volumeMounts:
            - name: src-dockerconfigjson
              mountPath: "/app/secrets"
              readOnly: true
          resources:
            requests:
              cpu: 0.1
              memory: 15Mi
            limits:
              cpu: 0.2
              memory: 30Mi
      volumes:
        - name: src-dockerconfigjson
          secret: 
            secretName: image-pull-secret-src

其中dockerconfigjson改成步骤2中获取到的配置，CONFIG_SECRETNAME变量的value改成期望的secret名称。

4、安装imagepullsecret-patcher

kubectl apply -f sa.yaml
kubectl apply -f deployment.yaml

5、查看安装

kubectl get all -n imagepullsecret-patcher
kubectl get sa -n imagepullsecret-patcher
kubectl get sa default -n imagepullsecret-patcher -oyaml

可以发现，harbor-secret 已经注入到了sa中。

删除imagePullSecrets

有时候，我们需要替换imagePullSecrets，比如imagePullSecrets名称发生了变更。这时就需要删除原本的imagePullSecrets。

单个sa删除imagePullSecrets方法：

INDEX=$(kubectl get sa default -n imagepullsecret-patcher -o json | jq '.imagePullSecrets | map(.name == "harbor-secret") | index(true)')
kubectl patch sa default --type=json -p="[{'op': 'remove', 'path': '/imagePullSecrets/$INDEX'}]" -n imagepullsecret-patcher

批量sa删除imagePullSecrets方法：

#!/bin/bash
kubectl get ns | awk '{print $1}' | grep -v "NAME" > namespace.txt

for namespace in `cat namespace.txt`;do
  INDEX=$(kubectl get sa default -n $namespace -o json | jq '.imagePullSecrets | map(.name == "harbor-secret") | index(true)')
  kubectl patch sa default --type=json -p="[{'op': 'remove', 'path': '/imagePullSecrets/$INDEX'}]" -n $namespace
done