I am working through a lab that shows how to set-up Kubernetes and the CLI on IBM Cloud.
I have the Kubernetes cluster setup, and the container registry. I am logged in to IBM Cloud and the Container Registry on the CLI. The image has been created and pushed.
I can create a pod using the image with an imperative command using:
kubectl create -f hello-world-create.yaml
where the yaml
file looks like:
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: us.icr.io/earlyprogramimages/hello-world:1
ports:
- containerPort: 80
imagePullSecrets:
- name: icr
but when I try the declarative command for the same image running
kubectl apply -f hello-world-apply.yaml
where the yaml
file looks like
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
run: hello-world
name: hello-world
spec:
replicas: 3
selector:
matchLabels:
run: hello-world
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
run: hello-world
spec:
containers:
- image: us.icr.io/earlyprogramimages/hello-world:1
imagePullPolicy: Always
name: hello-world
ports:
- containerPort: 80
protocol: TCP
imagePullSecrets:
- name: icr
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
I get status of ErrImagePull
for each of the pods where the event stack is
Successfully assigned default/hello-world-6fd8bd67dc-79gbz to xx.xx.xx.xx
Pulling image "us.icr.io/earlyprogramimages/hello-world:1
Failed to pull image "us.icr.io/earlyprogramimages/hello-world:1": rpc error: code = Unknown desc = failed to pull and unpack image "us.icr.io/earlyprogramimages/hello-world:1": failed to resolve reference "us.icr.io/earlyprogramimages/hello-world:1": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
Error: ErrImagePull
Clearly the command doesn't have read access to image, but I have logged in successfully using
ibmcloud cr login
and can deploy a pod using the imperative create command.
I have been through the documentation, but can't determine which step I have overlooked. What are the extra steps needed which grant the appropriate access for the declarative apply command?
Running
kubectl get secrets -n default | grep "icr-io"
gives
kubectl get secrets -n default | grep "icr-io"
all-icr-io kubernetes.io/dockerconfigjson 1 167m
default-au-icr-io kubernetes.io/dockerconfigjson 1 167m
default-de-icr-io kubernetes.io/dockerconfigjson 1 167m
default-icr-io kubernetes.io/dockerconfigjson 1 167m
default-jp-icr-io kubernetes.io/dockerconfigjson 1 167m
default-uk-icr-io kubernetes.io/dockerconfigjson 1 167m
default-us-icr-io kubernetes.io/dockerconfigjson 1 167m
3条答案
按热度按时间vohkndzv1#
下面是我所做的,
如您所见,
all-icr-io
是集群中提供的默认映像拉取密钥。* 不确定您为何使用icr
*默认情况下,IBM Cloud Kubernetes集群被设置为仅从IBM Cloud Container Registry中您的帐户名称空间提取映像,方法是在默认名称空间中使用秘密
all-icr-io
。请查看此处的文档,将现有映像提取机密复制到非默认命名空间
我的
hello-world-create
看起来像这样我的
hello-world-apply.yaml
是以下是成功配置
yaml
文件后的结果imzjd6km2#
请访问https://cloud.ibm.com/docs/containers?topic=containers-registry#cluster_registry_auth了解可能出现错误的详细信息。需要检查的一些事项:
1.您是否有IAM策略来授予您对容器注册表的访问权限?
kubectl get secrets -n default | grep "icr-io"
是否显示任何提取机密?如果没有,请按照上面的doc链接修复它。hmae6n7t3#
我也遇到过这个问题,但在Azure上。我尝试了所有方法,但没有任何帮助,或者已经这样配置了。对我有效的是降级我的Linux版本。经过大量的挖掘,我发现Azure Kubernetes服务运行在16和18上,所以我选择了其中一个版本,它起作用了。