关于linux:如何在-K8S-集群范围使用-imagePullSecret

在这篇文章中,我将向你展现如何在 Kubernetes 中应用 imagePullSecrets。

imagePullSecrets 简介

Kubernetes 在每个 Pod 或每个 Namespace 的根底上应用 imagePullSecrets 对公有容器注册表进行身份验证。要做到这一点,你须要创立一个机密与凭据:

{% note warning %}
⚠️ 正告

当初随着公共镜像仓库(如:docker.io 等)开始对匿名用户进行限流,配置公共仓库的身份认证也变得有必要。
{% endnote %}

kubectl create secret docker-registry image-pull-secret \
  -n <your-namespace> \
  --docker-server=<your-registry-server> \
  --docker-username=<your-name> \
  --docker-password=<your-password> \
  --docker-email=<your-email>

例如配置 docker.io 的 pull secret:

kubectl create secret docker-registry image-pull-secret-src \
        -n imagepullsecret-patcher \
        --docker-server=docker.io \
        --docker-username=caseycui \
        --docker-password=c874d654-xxxx-40c6-xxxx-xxxxxxxx89c2 \
        --docker-email=cuikaidong@foxmail.com

{% note info %}
ℹ️ 信息

如果 docker.io 启用了「2 阶段认证」,可能须要创立 Access Token(对应下面的 docker-password,创立链接在这里:账号 -> 平安
{% endnote %}

当初咱们能够在一个 pod 中应用这个 secret 来下载 docker 镜像:

apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: private-registry-test
spec:
  containers:
    - name: my-app
      image: my-private-registry.infra/busybox:v1
  imagePullSecrets:
    - name: image-pull-secret

另一种办法是将它增加到命名空间的默认 ServiceAccount 中:

kubectl patch serviceaccount default \
  -p "{\"imagePullSecrets\": [{\"name\": \"image-pull-secret\"}]}" \
  -n <your-namespace>

在 K8S 集群范畴应用 imagePullSecrets

我找到了一个叫做 imagepullsecret-patch 的工具,它能够在你所有的命名空间上做这个:

wget https://raw.githubusercontent.com/titansoft-pte-ltd/imagepullsecret-patcher/185aec934bd01fa9b6ade2c44624e5f2023e2784/deploy-example/kubernetes-manifest/1_rbac.yaml
wget https://raw.githubusercontent.com/titansoft-pte-ltd/imagepullsecret-patcher/master/deploy-example/kubernetes-manifest/2_deployment.yaml

kubectl create ns imagepullsecret-patcher

编辑下载的文件,个别须要批改image-pull-secret-src的内容,这个 pull secret 就会利用到 K8S 集群范畴。

nano 1_rbac.yaml
nano 2_deployment.yaml
kubectl apply -f 1_rbac.yaml
kubectl apply -f 2_deployment.yaml

这里背地创立的资源有:

  1. NameSpace
  2. RBAC 权限相干:

    1. imagepullsecret-patcher ServiceAccount
    2. imagepullsecret-patcher ClusterRole,具备对 service account 和 secret 的所有权限
    3. imagepullsecret-patcher ClusterRoleBinding,为 imagepullsecret-patcher ServiceAccount 赋予 imagepullsecret-patcher ClusterRole 的权限。
  3. 全局 pull secret image-pull-secret-src,外面是你的 K8S 全局蕴含的所有的镜像库地址和认证信息。
  4. Deployment imagepullsecret-patcher,指定 ServiceAccount 是 imagepullsecret-patcher 就有了操作 service account 和 secret 的所有权限,并将下面的 secret 挂载到 Deployment pod 内。

能够蕴含多个镜像库地址和认证信息,如:

{
    "auths": {
        "docker.io": {
            "username": "caseycui",
            "password": "c874xxxxxxxxxxxxxxxx1f89c2",
            "email": "cuikaidong@foxmail.com",
            "auth": "Y2FzxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxWMy"
        },
        "quay.io": {
            "auth": "ZWFzdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxlXWmpNPQ==",
            "email": ""
        }
    }
}

base64 编码后写到 secret 的 .dockerconfigjson 字段即可:

apiVersion: v1
kind: Secret
metadata:
  name: image-pull-secret-src
  namespace: imagepullsecret-patcher
data:
  .dockerconfigjson: >-
    eyJhdXRocyI6eyJkb2NrZXIuaW8iOnsidXNlcm5hbWUiOiJjYXNleWN1aSIsInB.............................................IiwiZW1haWwiOiIifX19
type: kubernetes.io/dockerconfigjson

启动后的 pod 会在所有 NameSpace 下创立 image-pull-secret secret(内容来自于image-pull-secret-src) 并把它 patch 到 default service account 及该 K8S 集群的所有 ServiceAccount 里,日志如下:

time="2022-01-12T16:07:30Z" level=info msg="Application started"
time="2022-01-12T16:07:30Z" level=info msg="[default] Created secret"
time="2022-01-12T16:07:30Z" level=info msg="[default] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:30Z" level=info msg="[kube-system] Created secret"
time="2022-01-12T16:07:31Z" level=info msg="[kube-system] Patched imagePullSecrets to service account [node-controller]"
...
time="2022-01-12T16:07:37Z" level=info msg="[kube-public] Created secret"
time="2022-01-12T16:07:37Z" level=info msg="[kube-public] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:38Z" level=info msg="[kube-node-lease] Created secret"
time="2022-01-12T16:07:38Z" level=info msg="[kube-node-lease] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:38Z" level=info msg="[prometheus] Created secret"
time="2022-01-12T16:07:39Z" level=info msg="[prometheus] Patched imagePullSecrets to service account [default]"
...
time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Created secret"
time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Patched imagePullSecrets to service account [default]"
time="2022-01-12T16:07:41Z" level=info msg="[imagepullsecret-patcher] Patched imagePullSecrets to service account [imagepullsecret-patcher]"

今后咱们只须要更新 image-pull-secret-src 这一个即可了。👍️👍️👍️

Kyverno policy

Kyverno policy 能够实现同样的成果:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: sync-secret
spec:
  background: false
  rules:
  - name: sync-image-pull-secret
    match:
      resources:
        kinds:
        - Namespace
    generate:
      kind: Secret
      name: image-pull-secret
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      clone:
        namespace: default
        name: image-pull-secret
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mutate-imagepullsecret
spec:
  rules:
    - name: mutate-imagepullsecret
      match:
        resources:
          kinds:
          - Pod
      mutate:
        patchStrategicMerge:
          spec:
            imagePullSecrets:
            - name: image-pull-secret  ## imagePullSecret that you created with docker hub pro account
            (containers):
            - (image): "*" ## match all container images

本文由博客一文多发平台 OpenWrite 公布!

【腾讯云】轻量 2核2G4M,首年65元

阿里云限时活动-云数据库 RDS MySQL  1核2G配置 1.88/月 速抢

本文由乐趣区整理发布,转载请注明出处,谢谢。

您可能还喜欢...

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据