How to use private image library (docker version) gracefully in k8s

KAnts 2021-01-05 17:09:55
use private image library docker


Preface

In the enterprise landing K8S In the process of , Private image library ( Dedicated image library ) essential , Especially in Docker Hub After starting to limit free users , More and more reflects the importance of building private image library .

Private image library can not only speed up the pulling of images, but also avoid the special " Network problems " This leads to the embarrassment of image pull failure .

Of course, after deploying the private image library, you also need to set some security policies for the image library , Most private image libraries use IP Access strategy + authentication ( Closed projects ) In this way, the image library can be protected .

So for the image library with authentication restrictions , stay K8S How to integrate gracefully in ?
The following is a summary of K8S Several situations and ways of using private image library in .

stay K8S Using private image library in

First of all, we need to determine the authorized use of the private image library , Select the corresponding authentication configuration for different usage modes .

  1. For nodes (Node)

    This should be used by enterprises K8S It's the most common way , Generally, this is enough , And this scheme is almost the necessary configuration after using the private image library , It can do :
    Configure nodes in a certain environment , Don't need to K8S You can enjoy the privilege of specific private library by other configuration in .
    The scheme is applicable to all Pods take effect , At the same time, it's also about Africa Pods Mirror effect , for example : kubelet Of pause Mirror image , This is critical .

  2. For service accounts (ServiceAccount)、 For the namespace (Namespace)

    The ServiceAccount Of Pod All enjoy this ServiceAccount The configured image library authentication settings .
    It can also be used K8S in default ServiceAccount Mechanism , To achieve all the functions without special settings in a specific namespace Pod take effect .

  3. in the light of Pod

    For specific Pod Make authentication configuration , The Pod You'll have access to private libraries .

    Deployment、DaemonSet、StatefulSet、CronJob、Job And so on PodTemplate In the end, it will be in a specific way Pod Resource experience , So in PodTemplate The configuration is also right Pod To configure .

Configuration steps

Prerequisite

  1. A private image library available ( We can use Harbor build )
  2. The account number and password of the private image library ( Only read-only access is recommended )
  3. CRI be based on Docker ( The rest of the CRI No verification yet )

For nodes (Node) To configure

  1. To write Docker The configuration file
  2. take Docker The configuration file is placed in the specified location
  3. restart kubelet

To write Docker The configuration file

First write Docker Authentication profile for , The format is as follows :

{
"auths": {
"<HOST>": {
"auth": "<BASIC_AUTHORIZATION>"
}
}
}

<HOST> Is the address of the private mirror Library , for example : hub.docker.com
<BASIC_AUTHORIZATION> by BASE64(<USERNAME>:<PASSWORD>)
for example : cmVhZGVyOjEyMzQ1Ng==, The account number is : reader, The password is : 123456
Use : After splicing base64

Complete configuration file , example

{
"auths": {
"hub.docker.com": {
"auth": "cmVhZGVyOjEyMzQ1Ng=="
},
"harbor.domain.cn": {
"auth": "cmVhZGVyOiFAIzQ1Ng=="
}
}
}

If there are multiple image libraries in auths Section .

take Docker The configuration file is placed in the specified location

It's recommended to put it in kubelet In the root directory , The configuration file needs to be in config.json name .
default kubelet The root directory is usually /var/lib/kubelet ( If there is any change, you can replace it )
That is, it needs to be placed in /var/lib/kubelet/config.json.

It can also be placed in the following positions :

{--root-dir:-/var/lib/kubelet}/config.json
{cwd of kubelet}/config.json
${HOME}/.docker/config.json
/.docker/config.json
{--root-dir:-/var/lib/kubelet}/.dockercfg
{cwd of kubelet}/.dockercfg
${HOME}/.dockercfg
/.dockercfg

Reference documents :
https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry

Put it in ${HOME} The starting position

Need to be in kubelet service Configuration in environment HOME The path of , Otherwise it won't work , for example : HOME=/root
Here's how to use kubeadm Scripts available in the installed environment , If not, please configure it yourself

echo "HOME=${HOME}" >> /var/lib/kubelet/kubeadm-flags.env

restart kubelet

If init No systemd, Please replace the service restart command by yourself

systemctl daemon-reload; systemctl restart kubelet

For service accounts (ServiceAccount)、 For the namespace (Namespace)

  1. Create a Docker Registry confidential resources
  2. Set up ServiceAccount Of imagePullSecrets
  3. take Pod Of serviceAccountName Set to this ServiceAccount The name of

Create a Docker Registry confidential resources

Use kubectl cli Create a registry secret resource

kubectl create secret docker-registry <SECRET_NAME> --docker-server=<DOCKER_REGISTRY_SERVER> --docker-username=<DOCKER_USER> --docker-password=<DOCKER_PASSWORD> -n <NAMESPACE>

among
<SECRET_NAME> It's the name of the classified resource , Editing sa Resources need to be referenced when they are used
<DOCKER_REGISTRY_SERVER> Is the server address of the private image library
<DOCKER_USER> It's an account authenticated by the private image library
<DOCKER_PASSWORD> Is the password of private image library authentication
<NAMESPACE> Is the name of the namespace

The example command is as follows :

kubectl create secret docker-registry docker-reader-secret --docker-server=harbor.domain.cn --docker-username=reader --docker-password=123456 -n basic

Use yaml Create a registry secret resource

apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJET0NLRVJfUkVHSVNUUllfU0VSVkVSIjp7InVzZXJuYW1lIjoiRE9DS0VSX1VTRVIiLCJwYXNzd29yZCI6IkRPQ0tFUl9QQVNTV09SRCIsImF1dGgiOiJSRTlEUzBWU1gxVlRSVkk2UkU5RFMwVlNYMUJCVTFOWFQxSkUifX19
kind: Secret
metadata:
name: docker-reader-secret
namespace: default
type: kubernetes.io/dockerconfigjson

.dockerconfigjson yes base64 String after , Please refer to " To write Docker The configuration file " The content of section

kubectl apply -f docker-reader-secret.yaml

Set up ServiceAccount Of imagePullSecrets

apiVersion: v1
kind: ServiceAccount
metadata:
name: service1
namespace: basic
secrets:
- name: service1-token-mp4qs
imagePullSecrets:
- name: docker-reader-secret

Will be resources of serviceAccountName Set to this ServiceAccount The name of

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
serviceAccountName: service1

How to target all Pod?

K8S There's a default mechanism in , Will create a name in the namespace called default Of ServiceAccount (sa) resources .
And the resources are not specified separately serviceAccountName when , By default default As serviceAccountName.
So we just need to set up default ServiceAccount Of imagePullSecrets That is, there is no special specification for serviceAccountName Field Pod It works .

in the light of Pod

  1. Create a Docker Registry confidential resources
  2. Set up Pod Of imagePullSecrets

Create a Docker Registry confidential resources

Reference resources " Create a Docker Registry confidential resources " The content of section

A concrete Pod

apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: awesomeapps
spec:
containers:
- name: foo
image: janedoe/awesomeapp:v1
imagePullSecrets:
- name: docker-reader-secret

For PodTemplate Content resources

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
imagePullSecrets:
- name: docker-reader-secret

Last

If your private image library has not yet adopted Authentication , Let's act quickly !
Lesson from blood , Security is a matter of urgency .

版权声明
本文为[KAnts]所创,转载请带上原文链接,感谢
https://javamana.com/2020/12/20201231093657624o.html

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云