求老师帮助,k8s集群中的containerd使用harbor,如何跳过证书问题呢?containerd的config.toml配置文件好像和其他人的不太一样
来源:4-1 分析kubespray部署方案,准备基础环境
Kevin0688
2023-03-07
config.toml的[plugins.cri.registry]部分
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
pod-nginx-test-v1.yaml,其中192.168.5.52是搭的harbor
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: test
spec:
containers:
- name: nginx
image: 192.168.5.52/kubernetes/nginx:latest
ports:
- containerPort: 80
执行kubectl apply -f pod-nginx-test-v1.yaml后提示证书问题
然后我将config.toml的[plugins.cri.registry]部分改为如下代码(ca.crt也上传了),然后systemctl restart containerd
[plugins.cri.registry.mirrors."192.168.5.52"]
endpoint = ["https://192.168.5.52"]
[plugins.cri.registry.configs."192.168.5.52".auth]
username = "admin"
password = "xxx"
[plugins.cri.registry.configs."192.168.5.52".tls]
ca_file = "/opt/certs/ca.crt"
依然报错,实在没办法了
[root@server21 opt]# ctr images pull 192.168.5.52/kubernetes/nginx:latest
ctr: failed to resolve reference "192.168.5.52/kubernetes/nginx:latest": failed to do request: Head https://192.168.5.52/v2/kubernetes/nginx/manifests/latest: x509: cannot validate certificate for 192.168.5.52 because it doesn't contain any IP SANs
[root@server21 opt]#
另外,我另一台docker机器配置harbor地址是可以的如下:
ca.crt也是harbor的证书
[root@server52 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["https://192.168.5.52"]
}[root@server52 ~]#
[root@server52 192.168.5.52]# pwd
/etc/docker/certs.d/192.168.5.52
[root@server52 192.168.5.52]# ls
ca.crt
[root@server52 192.168.5.52]#
写回答
1回答
-
Kevin0688
提问者
2023-03-10
卡了两天,终于找到解决方案了,还是自建证书的问题。
最终我是用mkcert工具给harbor签发的ssl证书(签发完重新部署的harbor),然后在k8s集群的每个节点都上传签发root证书(节点的/etc/pki/ca-trust/source/anchors目录,上传完执行/bin/update-ca-trust命令)。
不需要修改docker或者containerd的配置
参考:https://zhuanlan.zhihu.com/p/379501905
10
相似问题