前言
《Harbor入门篇》一文中,我们已经安装配置好了Harbor。
本文中,我们来学习一下怎样在K8S中配置使用imagePullSecrets,从Harbor或者其他私有镜像仓库拉取镜像。
参考文档:
创建imagePullSecrets
创建一个docker-registry类型的secret,名字为harbor-secret
1 2 3 4
| kubectl create secret docker-registry harbor-secret \ --docker-server=harbor.voidking.com \ --docker-username=admin \ --docker-password=Harbor12345
|
使用imagePullSecrets
1 2 3 4 5 6 7 8 9 10 11 12 13
| apiVersion: v1 kind: Pod metadata: name: testpod spec: containers: - name: busybox image: harbor.voidking.com/voidking/busybox:1.31 command: - sleep - "36000" imagePullSecrets: - name: harbor-secret
|
给pod添加默认imagePullSecrets
上面的配置,已经可以正常从harbor镜像仓库拉取镜像了。
但是,每个pod都需要指定一下imagePullSecrets,也是比较麻烦。
这里我们可以在命名空间默认sa中添加imagePullSecrets,这样我们就不用在pod中指定imagePullSecrets了,创建pod时会自动注入。
1 2 3
| kubectl patch serviceaccount default \ -p "{\"imagePullSecrets\": [{\"name\": \"docker-secret\"}]}" \ -n <your-namespace>
|
全局配置imagePullSecrets
如果新增了namespace,那么这个namespace就需要单独添加一次imagePullSecrets,而且这个namespace的sa也需要添加imagePullSecrets。
这里可以使用imagepullsecret-patcher来简化我们的工作,参考文档:
1、创建 sa.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
| apiVersion: v1 kind: Namespace metadata: name: imagepullsecret-patcher --- apiVersion: v1 kind: ServiceAccount metadata: name: imagepullsecret-patcher namespace: imagepullsecret-patcher --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: imagepullsecret-patcher name: imagepullsecret-patcher rules: - apiGroups: - "" resources: - secrets - serviceaccounts verbs: - list - patch - create - get - delete - apiGroups: - "" resources: - namespaces verbs: - list - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: imagepullsecret-patcher roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: imagepullsecret-patcher subjects: - kind: ServiceAccount name: imagepullsecret-patcher namespace: imagepullsecret-patcher
|
2、获取 dockerconfigjson
1
| kubectl get secret harbor-secret -oyaml
|
3、创建 deployment.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
| apiVersion: v1 kind: Secret type: kubernetes.io/dockerconfigjson metadata: name: image-pull-secret-src namespace: imagepullsecret-patcher data: .dockerconfigjson: eyJhdXRocyI6eyJnY3IuaW8iOnsicGFzc3dvcmQiOiJ7XCJhdXRoXCI6e1wiZ2NyLmlvXCI6e1widXNlcm5hbWVcIjpcIl9qc29uX2tleVwiLFwicGFzc3dvcmRcIjpcInt9XCJ9fX0iLCJ1c2VybmFtZSI6Il9qc29uX2tleSJ9fX0= --- apiVersion: apps/v1 kind: Deployment metadata: name: imagepullsecret-patcher namespace: imagepullsecret-patcher labels: name: imagepullsecret-patcher spec: replicas: 1 selector: matchLabels: name: imagepullsecret-patcher template: metadata: labels: name: imagepullsecret-patcher spec: automountServiceAccountToken: true serviceAccountName: imagepullsecret-patcher containers: - name: imagepullsecret-patcher image: "quay.io/titansoft/imagepullsecret-patcher:v0.14" env: - name: CONFIG_FORCE value: "true" - name: CONFIG_DEBUG value: "false" - name: CONFIG_ALLSERVICEACCOUNT value: "true" - name: CONFIG_DOCKERCONFIGJSONPATH value: "/app/secrets/.dockerconfigjson" - name: CONFIG_SECRETNAME value: "harbor-secret" volumeMounts: - name: src-dockerconfigjson mountPath: "/app/secrets" readOnly: true resources: requests: cpu: 0.1 memory: 15Mi limits: cpu: 0.2 memory: 30Mi volumes: - name: src-dockerconfigjson secret: secretName: image-pull-secret-src
|
其中dockerconfigjson改成步骤2中获取到的配置,CONFIG_SECRETNAME变量的value改成期望的secret名称。
4、安装imagepullsecret-patcher
1 2
| kubectl apply -f sa.yaml kubectl apply -f deployment.yaml
|
5、查看安装
1 2 3
| kubectl get all -n imagepullsecret-patcher kubectl get sa -n imagepullsecret-patcher kubectl get sa default -n imagepullsecret-patcher -oyaml
|
可以发现,harbor-secret
已经注入到了sa中。
删除imagePullSecrets
有时候,我们需要替换imagePullSecrets,比如imagePullSecrets名称发生了变更。这时就需要删除原本的imagePullSecrets。
单个sa删除imagePullSecrets方法:
1 2
| INDEX=$(kubectl get sa default -n imagepullsecret-patcher -o json | jq '.imagePullSecrets | map(.name == "harbor-secret") | index(true)') kubectl patch sa default --type=json -p="[{'op': 'remove', 'path': '/imagePullSecrets/$INDEX'}]" -n imagepullsecret-patcher
|
批量sa删除imagePullSecrets方法:
1 2 3 4 5 6 7
| #!/bin/bash kubectl get ns | awk '{print $1}' | grep -v "NAME" > namespace.txt
for namespace in `cat namespace.txt`;do INDEX=$(kubectl get sa default -n $namespace -o json | jq '.imagePullSecrets | map(.name == "harbor-secret") | index(true)') kubectl patch sa default --type=json -p="[{'op': 'remove', 'path': '/imagePullSecrets/$INDEX'}]" -n $namespace done
|