1、为docker私有仓库导入账户密码信息:
1
| kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
|
转换标准输出:
1
| kubectl get secret myregistrykey --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d
|
2、查看信息是否生成:
1
| kubectl get secrets myregistrykey
|
3、为访问kubernetes.api创建一个用户
编辑一个yaml格式文件:
1
2
3
4
5
| apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
|
通过 kubectl create -f file.yaml 生成 用户 build-robot
通过 kubectl get serviceaccount build-robot -o yaml 查看用户信息
可以顺便创建一个API令牌:
1
2
3
4
5
6
7
| apiVersion: v1
kind: Secret
metadata:
name: build-robot-secret
annotations:
kubernetes.io/service-account.name: build-robot
type: kubernetes.io/service-account-token
|
token可通过 kubectl get secret build-robot-secret -o yaml 获取(或通过describe命令获取)
4、接下来我们将之前的”myregistrykey” 加入build-robot用户,让之后在使用此账户时,可pull私有仓库的加密资源
(1)
1
| kubectl get serviceaccounts build-robot -o yaml > ./ro.yaml
|
(2 )
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| kubectl get serviceaccounts default -o yaml > ./sa.yaml
$ cat ro.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-04-03T22:02:39Z
name: build-robot
namespace: default
resourceVersion: "243024"
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: build-robot-token
$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "secrets:"]
[add lines with "imagePullSecret:"]
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-04-03T22:02:39Z
name: build-robot
namespace: default
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
secrets:
- name: build-robot-token
imagePullSecrets:
- name: myregistrykey
$ kubectl replace serviceaccount default -f ./ro.yaml
|
这样在生成pod的yaml文件的编辑中,可使用如下账户在default空间下时,会自动调用myregistrykey
1
2
3
| serviceAccount: build-robot
serviceAccountName: build-robot
|
或者在pod的yaml文件中,spec.imagepullsecrets下,添加- name: myregistrykey来忽略账户自带的key,直接pull自己私有仓库的项目:
1
2
3
4
5
6
7
8
9
10
| apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: <your-private-image>
imagePullSecrets:
- name: myregistrykey
|
配置 default 账号 自动拉取 镜像
1、为docker私有仓库导入账户密码信息:
1
| kubectl create secret docker-registry myregistrykey --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
|
转换标准输出:
1
| kubectl get secret myregistrykey --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d
|
2、查看信息是否生成:
1
| kubectl get secrets myregistrykey
|
可以顺便创建一个API令牌:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| apiVersion: v1
kind: Secret
metadata:
name: default-secret
annotations:
kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token
token可通过 kubectl get secret default-secret -o yaml 获取(或通过describe命令获取)
kubectl get serviceaccounts default -o yaml > ./sa.yaml
cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-04-23T05:36:00Z"
name: default
namespace: default
resourceVersion: "337"
uid: 1a3039ec-c43e-404e-9fa7-0fda9c736693
$ vi sa.yaml
[editor session not shown]
[delete line with key "resourceVersion"]
[add lines with "secrets:"]
[add lines with "imagePullSecret:"]
$ cat sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2023-04-23T05:36:00Z
name: default
namespace: default
selfLink: /api/v1/namespaces/default/serviceaccounts/default
uid: 1a3039ec-c43e-404e-9fa7-0fda9c736693
secrets:
- name: default-token
imagePullSecrets:
- name: myregistrykey
$ kubectl apply -f ./sa.yaml
|
这样在生成pod的yaml文件的编辑中,可使用如下账户在default空间下时,会自动调用myregistrykey
1
2
3
| serviceAccount: default
serviceAccountName: default
|
或者在pod的yaml文件中,spec.imagepullsecrets下,添加- name: myregistrykey来忽略账户自带的key,直接pull自己私有仓库的项目:
1
2
3
4
5
6
7
8
9
10
| apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: <your-private-image>
imagePullSecrets:
- name: myregistrykey
|