使用声明性命令创建 Kubernetes Pod 时获取 ErrImagePull:401 Unauthorized
Getting ErrImagePull : 401 Unauthorized when creating a Kubernetes Pod with a declarative command
我正在完成一个演示如何在 IBM Cloud 上设置 Kubernetes 和 CLI 的实验室。
我有 Kubernetes 集群设置和容器注册表。我在 CLI 上登录到 IBM Cloud 和 Container Registry。图片已创建并推送。
我可以使用图像和命令式命令创建一个 pod,使用:
kubectl create -f hello-world-create.yaml
yaml 文件如下所示:
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: us.icr.io/earlyprogramimages/hello-world:1
ports:
- containerPort: 80
imagePullSecrets:
- name: icr
但是当我尝试对同一图像使用声明性命令时 运行
kubectl apply -f hello-world-apply.yaml
yaml 文件看起来像
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
run: hello-world
name: hello-world
spec:
replicas: 3
selector:
matchLabels:
run: hello-world
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: hello-world
spec:
containers:
- image: us.icr.io/earlyprogramimages/hello-world:1
imagePullPolicy: Always
name: hello-world
ports:
- containerPort: 80
protocol: TCP
imagePullSecrets:
- name: icr
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
我得到每个 pods 事件堆栈
的状态 ErrImagePull
Successfully assigned default/hello-world-6fd8bd67dc-79gbz to xx.xx.xx.xx
Pulling image "us.icr.io/earlyprogramimages/hello-world:1
Failed to pull image "us.icr.io/earlyprogramimages/hello-world:1": rpc error: code = Unknown desc = failed to pull and unpack image "us.icr.io/earlyprogramimages/hello-world:1": failed to resolve reference "us.icr.io/earlyprogramimages/hello-world:1": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
Error: ErrImagePull
显然该命令没有对图像的读取权限,但我已使用
成功登录
ibmcloud cr login
并且可以使用命令式创建命令部署 pod。
我已经阅读了文档,但无法确定我忽略了哪一步。为声明性应用命令授予适当访问权限需要哪些额外步骤?
运行
kubectl get secrets -n default | grep "icr-io"
给予
kubectl get secrets -n default | grep "icr-io"
all-icr-io kubernetes.io/dockerconfigjson 1 167m
default-au-icr-io kubernetes.io/dockerconfigjson 1 167m
default-de-icr-io kubernetes.io/dockerconfigjson 1 167m
default-icr-io kubernetes.io/dockerconfigjson 1 167m
default-jp-icr-io kubernetes.io/dockerconfigjson 1 167m
default-uk-icr-io kubernetes.io/dockerconfigjson 1 167m
default-us-icr-io kubernetes.io/dockerconfigjson 1 167m
查看 https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth 了解可能出错的详细信息。需要检查的一些事项:
- 您是否制定了 IAM 策略来授予您访问容器注册表的权限?
kubectl get secrets -n default | grep "icr-io" 是否显示任何 pull 秘密?如果不是,请按照上面的文档 link 进行修复。
这是我按预期所做和工作的,
如您所见,all-icr-io 是集群中提供的默认镜像拉取密钥。 不确定您为什么使用 icr
By default, the IBM Cloud Kubernetes cluster is set up to pull images
from only your account’s namespace in IBM Cloud Container Registry by
using the secret all-icr-io in the default namespace.
勾选 documentation here 以将现有镜像 pull secret 复制到 non-default 命名空间
所以,我的 hello-world-create 看起来像这样
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: us.icr.io/mods15/hello-world:1
ports:
- containerPort: 80
imagePullSecrets:
- name: all-icr-io
我的hello-world-apply.yaml是
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
run: hello-world
name: hello-world
spec:
replicas: 3
selector:
matchLabels:
run: hello-world
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: hello-world
spec:
containers:
- image: us.icr.io/mods15/hello-world:1
imagePullPolicy: Always
name: hello-world
ports:
- containerPort: 80
protocol: TCP
imagePullSecrets:
- name: all-icr-io
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
这是成功配置 yaml 文件后的结果
我正在完成一个演示如何在 IBM Cloud 上设置 Kubernetes 和 CLI 的实验室。
我有 Kubernetes 集群设置和容器注册表。我在 CLI 上登录到 IBM Cloud 和 Container Registry。图片已创建并推送。
我可以使用图像和命令式命令创建一个 pod,使用:
kubectl create -f hello-world-create.yaml
yaml 文件如下所示:
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: us.icr.io/earlyprogramimages/hello-world:1
ports:
- containerPort: 80
imagePullSecrets:
- name: icr
但是当我尝试对同一图像使用声明性命令时 运行
kubectl apply -f hello-world-apply.yaml
yaml 文件看起来像
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
run: hello-world
name: hello-world
spec:
replicas: 3
selector:
matchLabels:
run: hello-world
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: hello-world
spec:
containers:
- image: us.icr.io/earlyprogramimages/hello-world:1
imagePullPolicy: Always
name: hello-world
ports:
- containerPort: 80
protocol: TCP
imagePullSecrets:
- name: icr
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
我得到每个 pods 事件堆栈
的状态ErrImagePull
Successfully assigned default/hello-world-6fd8bd67dc-79gbz to xx.xx.xx.xx
Pulling image "us.icr.io/earlyprogramimages/hello-world:1
Failed to pull image "us.icr.io/earlyprogramimages/hello-world:1": rpc error: code = Unknown desc = failed to pull and unpack image "us.icr.io/earlyprogramimages/hello-world:1": failed to resolve reference "us.icr.io/earlyprogramimages/hello-world:1": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
Error: ErrImagePull
显然该命令没有对图像的读取权限,但我已使用
成功登录ibmcloud cr login
并且可以使用命令式创建命令部署 pod。
我已经阅读了文档,但无法确定我忽略了哪一步。为声明性应用命令授予适当访问权限需要哪些额外步骤?
运行
kubectl get secrets -n default | grep "icr-io"
给予
kubectl get secrets -n default | grep "icr-io"
all-icr-io kubernetes.io/dockerconfigjson 1 167m
default-au-icr-io kubernetes.io/dockerconfigjson 1 167m
default-de-icr-io kubernetes.io/dockerconfigjson 1 167m
default-icr-io kubernetes.io/dockerconfigjson 1 167m
default-jp-icr-io kubernetes.io/dockerconfigjson 1 167m
default-uk-icr-io kubernetes.io/dockerconfigjson 1 167m
default-us-icr-io kubernetes.io/dockerconfigjson 1 167m
查看 https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth 了解可能出错的详细信息。需要检查的一些事项:
- 您是否制定了 IAM 策略来授予您访问容器注册表的权限?
kubectl get secrets -n default | grep "icr-io"是否显示任何 pull 秘密?如果不是,请按照上面的文档 link 进行修复。
这是我按预期所做和工作的,
如您所见,all-icr-io 是集群中提供的默认镜像拉取密钥。 不确定您为什么使用 icr
By default, the IBM Cloud Kubernetes cluster is set up to pull images from only your account’s namespace in IBM Cloud Container Registry by using the secret
all-icr-ioin the default namespace.
勾选 documentation here 以将现有镜像 pull secret 复制到 non-default 命名空间
所以,我的 hello-world-create 看起来像这样
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: us.icr.io/mods15/hello-world:1
ports:
- containerPort: 80
imagePullSecrets:
- name: all-icr-io
我的hello-world-apply.yaml是
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
run: hello-world
name: hello-world
spec:
replicas: 3
selector:
matchLabels:
run: hello-world
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: hello-world
spec:
containers:
- image: us.icr.io/mods15/hello-world:1
imagePullPolicy: Always
name: hello-world
ports:
- containerPort: 80
protocol: TCP
imagePullSecrets:
- name: all-icr-io
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
这是成功配置 yaml 文件后的结果