0%

K8S配置使用imagePullSecrets

前言

《Harbor入门篇》一文中,我们已经安装配置好了Harbor。
本文中,我们来学习一下怎样在K8S中配置使用imagePullSecrets,从Harbor或者其他私有镜像仓库拉取镜像。

参考文档:

创建imagePullSecrets

创建一个docker-registry类型的secret,名字为harbor-secret

1
2
3
4
kubectl create secret docker-registry harbor-secret \
--docker-server=harbor.voidking.com \
--docker-username=admin \
--docker-password=Harbor12345

使用imagePullSecrets

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: v1
kind: Pod
metadata:
name: testpod
spec:
containers:
- name: busybox
image: harbor.voidking.com/voidking/busybox:1.31
command:
- sleep
- "36000"
imagePullSecrets:
- name: harbor-secret

给pod添加默认imagePullSecrets

上面的配置,已经可以正常从harbor镜像仓库拉取镜像了。
但是,每个pod都需要指定一下imagePullSecrets,也是比较麻烦。
这里我们可以在命名空间默认sa中添加imagePullSecrets,这样我们就不用在pod中指定imagePullSecrets了,创建pod时会自动注入。

1
2
3
kubectl patch serviceaccount default \
-p "{\"imagePullSecrets\": [{\"name\": \"docker-secret\"}]}" \
-n <your-namespace>

全局配置imagePullSecrets

如果新增了namespace,那么这个namespace就需要单独添加一次imagePullSecrets,而且这个namespace的sa也需要添加imagePullSecrets。

这里可以使用imagepullsecret-patcher来简化我们的工作,参考文档:

1、创建sa imagepullsecret-patcher并授权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
apiVersion: v1
kind: Namespace
metadata:
name: imagepullsecret-patcher
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: imagepullsecret-patcher
namespace: imagepullsecret-patcher
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: imagepullsecret-patcher
name: imagepullsecret-patcher
rules:
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
verbs:
- list
- patch
- create
- get
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: imagepullsecret-patcher
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: imagepullsecret-patcher
subjects:
- kind: ServiceAccount
name: imagepullsecret-patcher
namespace: imagepullsecret-patcher

2、获取dockerconfigjson

1
kubectl get secret harbor-secret -oyaml

3、编辑imagepullsecret-patcher的deployment

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
name: image-pull-secret-src
namespace: imagepullsecret-patcher
data:
.dockerconfigjson: eyJhdXRocyI6eyJnY3IuaW8iOnsicGFzc3dvcmQiOiJ7XCJhdXRoXCI6e1wiZ2NyLmlvXCI6e1widXNlcm5hbWVcIjpcIl9qc29uX2tleVwiLFwicGFzc3dvcmRcIjpcInt9XCJ9fX0iLCJ1c2VybmFtZSI6Il9qc29uX2tleSJ9fX0=
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: imagepullsecret-patcher
namespace: imagepullsecret-patcher
labels:
name: imagepullsecret-patcher
spec:
replicas: 1
selector:
matchLabels:
name: imagepullsecret-patcher
template:
metadata:
labels:
name: imagepullsecret-patcher
spec:
automountServiceAccountToken: true
serviceAccountName: imagepullsecret-patcher
containers:
- name: imagepullsecret-patcher
image: "quay.io/titansoft/imagepullsecret-patcher:v0.14"
env:
- name: CONFIG_FORCE
value: "true"
- name: CONFIG_DEBUG
value: "false"
- name: CONFIG_ALLSERVICEACCOUNT
value: "true"
- name: CONFIG_DOCKERCONFIGJSONPATH
value: "/app/secrets/.dockerconfigjson"
- name: CONFIG_SECRETNAME
value: "harbor-secret"
volumeMounts:
- name: src-dockerconfigjson
mountPath: "/app/secrets"
readOnly: true
resources:
requests:
cpu: 0.1
memory: 15Mi
limits:
cpu: 0.2
memory: 30Mi
volumes:
- name: src-dockerconfigjson
secret:
secretName: image-pull-secret-src

其中dockerconfigjson改成步骤2中获取到的配置,CONFIG_SECRETNAME变量的value改成期望的secret名称。

4、查看安装

1
2
3
kubectl get all -n imagepullsecret-patcher
kubectl get sa -n imagepullsecret-patcher
kubectl get sa default -n imagepullsecret-patcher -oyaml

可以发现,harbor-secret 已经注入到了sa中。

  • 本文作者: 好好学习的郝
  • 本文链接: https://www.voidking.com/dev-k8s-imagepullsecrets/
  • 版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!源站会及时更新知识点及修正错误,阅读体验也更好。欢迎分享,欢迎收藏~