我踩过Kubernetes in Action,不仅仅是熟悉Kubernetes。
我已经有一个Docker Hub帐户,我一直用于Docker特定的实验。
如本书第2章所述,我制作了玩具" kubia"图像,我能够将它推送到Docker Hub。我通过登录Docker Hub并查看图像再次验证了这一点。
我在Centos7上这样做。
然后我运行以下命令来创建运行我的映像的复制控制器和pod:
kubectl run kubia --image=davidmichaelkarr/kubia --port=8080 --generator=run/v1
我等待了一段时间才能更改状态,但它从未完成下载图像,当我描述pod时,我看到类似这样的内容:
Normal Scheduled 24m default-scheduler Successfully assigned kubia-25th5 to minikube
Normal SuccessfulMountVolume 24m kubelet, minikube MountVolume.SetUp succeeded for volume "default-token-x5nl4"
Normal Pulling 22m (x4 over 24m) kubelet, minikube pulling image "davidmichaelkarr/kubia"
Warning Failed 22m (x4 over 24m) kubelet, minikube Failed to pull image "davidmichaelkarr/kubia": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
然后我构造了以下命令:
curl -v -u 'davidmichaelkarr:**' 'https://registry-1.docker.io/v2/'
使用与Docker Hub相同的密码(它们应该是相同的,对吧?)。
这给了我以下内容:
* About to connect() to proxy *** port 8080 (#0)
* Trying **.**.**.**...
* Connected to *** (**.**.**.**) port 8080 (#0)
* Establish HTTP proxy tunnel to registry-1.docker.io:443
* Server auth using Basic with user 'davidmichaelkarr'
> CONNECT registry-1.docker.io:443 HTTP/1.1
> Host: registry-1.docker.io:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.docker.io
* start date: Aug 02 00:00:00 2017 GMT
* expire date: Sep 02 12:00:00 2018 GMT
* common name: *.docker.io
* issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
* Server auth using Basic with user 'davidmichaelkarr'
> GET /v2/ HTTP/1.1
> Authorization: Basic ***
> User-Agent: curl/7.29.0
> Host: registry-1.docker.io
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< Date: Wed, 24 Jan 2018 18:34:39 GMT
< Content-Length: 87
< Strict-Transport-Security: max-age=31536000
<
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host *** left intact
我不明白为什么这会失败。
更新:
根据第一个答案和我从other question获得的信息,我编辑了服务帐户的描述,添加了&#34; imagePullSecrets&#34;键,然后我再次删除了replicationcontroller并重新创建它。结果似乎是相同的。
这是我用来创建秘密的命令:
kubectl create secret docker-registry regsecret --docker-server=registry-1.docker.io --docker-username=davidmichaelkarr --docker-password=** --docker-email=**
然后我获取了serviceaccount的yaml,添加了秘密的密钥引用,然后将yaml设置为serviceaccount的设置。
这是服务帐户的当前设置:
$ kubectl get serviceaccount default -o yaml
apiVersion: v1
imagePullSecrets:
- name: regsecret
kind: ServiceAccount
metadata:
creationTimestamp: 2018-01-24T00:05:01Z
name: default
namespace: default
resourceVersion: "81492"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 38e2882c-009a-11e8-bf43-080027ae527b
secrets:
- name: default-token-x5nl4
执行此操作后,来自pod描述的更新事件列表:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7m default-scheduler Successfully assigned kubia-f56th to minikube
Normal SuccessfulMountVolume 7m kubelet, minikube MountVolume.SetUp succeeded for volume "default-token-x5nl4"
Normal Pulling 5m (x4 over 7m) kubelet, minikube pulling image "davidmichaelkarr/kubia"
Warning Failed 5m (x4 over 7m) kubelet, minikube Failed to pull image "davidmichaelkarr/kubia": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Normal BackOff 4m (x6 over 7m) kubelet, minikube Back-off pulling image "davidmichaelkarr/kubia"
Warning FailedSync 2m (x18 over 7m) kubelet, minikube Error syncing pod
我还有什么其他的错误?
更新:
我认为所有这些身份验证问题都可能与真正的问题无关。关键点是我在pod描述中看到的(分成多行以便于查看):
Warning Failed 22m (x4 over 24m) kubelet,
minikube Failed to pull image "davidmichaelkarr/kubia": rpc error: code =
Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/:
net/http: request canceled while waiting for connection
(Client.Timeout exceeded while awaiting headers)
最后一行似乎是此时最重要的信息。它没有失败的身份验证,它超时连接。根据我的经验,这样的事情通常是由通过防火墙/代理的问题引起的。我们有一个内部代理,我在我的环境中设置了那些环境变量,但是&#34; serviceaccount&#34;那个kubectl用来建立这个连接?我是否必须以某种方式在serviceaccount描述中设置代理配置?
答案 0 :(得分:1)
您需要确保在Minikube VM中运行的Docker守护程序通过以下行启动minikube来使用您的公司代理:
minikube start --docker-env http_proxy=http://proxy.corp.com:port --docker-env https_proxy=http://proxy.corp.com:port --docker-env no_proxy=192.168.99.0/24
答案 1 :(得分:0)
要获取存储在需要凭据的注册表中的图像,you need to create a special type of secret称为 private ObservableCollection<Customer> m_CustomerDataCollection = new ObservableCollection<Customer>();
public ObservableCollection<CustomerAlcove> CustomerDataCollection
{
get => m_CustomerDataCollection;
private set => Set(ref m_CustomerDataCollection, value);
}
private Customer m_CustomerItemSelected = new Customer();
public Customer CustomerItemSelected
{
get => m_CustomerItemSelected;
private set => Set(ref m_CustomerItemSelected, value);
}
。
imagePullSecrets然后创建指定kubectl create secret docker-registry regsecret --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
字段
imagePullSecrets答案 2 :(得分:0)
正如我对原始帖子的评论中所述,我遇到了同样的问题。唯一需要注意的是minikube在创建时就建立了。我重新启动了基础虚拟机,并且镜像请求开始工作。
答案 3 :(得分:0)
这似乎是一个很老的问题,但我有类似的问题并通过登录您的 docker 帐户解决了。
您可以通过删除现有的失败 pod 来尝试它,触发“docker login”命令(登录到您的 acc),然后重试创建 pod。
答案 4 :(得分:0)
我几次遇到同样的问题。 在这里更新,可能对某人有用。
先描述POD(kubectl describe pod
1.如果您看到访问被拒绝/存储库不存在错误,例如
<块引用>来自守护进程的错误响应:测试/nginx 拒绝拉取访问, 存储库不存在或可能需要“docker login”:被拒绝: 请求访问资源被拒绝
解决方案:
2.如果出现超时错误,
<块引用>错误: Get https://registry-1.docker.io/v2/: net/http: 请求在等待连接时被取消(Client.Timeout exceeded while 等待标题)
解决方案: