Harbor Registry：无法在 Kubernetes 中拉取镜像

Question

我建立了一个 Harbour 注册表，现在已经成功运行了几个星期。对于每个部署和命名空间，我都有一个秘密，其中包含来自我的 ~/.docker/config.json 文件的凭据，以访问注册表。自上周末以来，我无法再从该注册表中提取图像，并且我没有更改任何内容！集群在 GKE v1.12.5 btw 上运行。

什么有效？ 我可以从我的本地机器女巫码头拉和推图像。

什么不起作用？ 我的 Kubernetes 集群无法再拉取镜像并超时运行。

Events:
  Type     Reason          Age                  From                                                       Message
  ----     ------          ----                 ----                                                       -------
  Normal   Scheduled       13m                  default-scheduler                                          Successfully assigned k8s-test7/nginx-k8s-test7-6f7b8fdd79-2ffmp to gke-k8s-cloudops-test-default-pool-72fccd21-hrhk
  Normal   SandboxChanged  12m                  kubelet, gke-k8s-cloudops-test-default-pool-72fccd21-hrhk  Pod sandbox changed, it will be killed and re-created.
  Warning  Failed          11m (x3 over 12m)    kubelet, gke-k8s-cloudops-test-default-pool-72fccd21-hrhk  Failed to pull image "core.k8s-harbor-test.my-domain.com/nginx-test/nginx:1.15.10": rpc error: code = Unknown desc = Error response from daemon: Get https://core.k8s-harbor-test.my-domain.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Warning  Failed          11m (x3 over 12m)    kubelet, gke-k8s-cloudops-test-default-pool-72fccd21-hrhk  Error: ErrImagePull
  Normal   BackOff         11m (x7 over 12m)    kubelet, gke-k8s-cloudops-test-default-pool-72fccd21-hrhk  Back-off pulling image "core.k8s-harbor-test.my-domain.com/nginx-test/nginx:1.15.10"
  Normal   Pulling         10m (x4 over 13m)    kubelet, gke-k8s-cloudops-test-default-pool-72fccd21-hrhk  pulling image "core.k8s-harbor-test.my-domain.com/nginx-test/nginx:1.15.10"
  Warning  Failed          3m2s (x38 over 12m)  kubelet, gke-k8s-cloudops-test-default-pool-72fccd21-hrhk  Error: ImagePullBackOff

deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-k8s-test7
  namespace: k8s-test7
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx-k8s-test7
    spec:
      containers:
      - name: nginx-k8s-test7
        image: core.k8s-harbor-test.my-domain.com/nginx-test/nginx:1.15.10
        volumeMounts:
          - name: webcontent
            mountPath: /usr/share/nginx/html
        ports:
        - containerPort: 80
      volumes:
        - name: webcontent
          configMap:
            name: webcontent
      imagePullSecrets:
      - name: harborcred
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: webcontent
  namespace: k8s-test7
  annotations:
    volume.alpha.kubernetes.io/storage-class: default
spec:
  accessModes: [ReadWriteOnce]
  resources:
    requests:
      storage: 5Gi

秘密“harborcred”是每个命名空间的一部分，以便部署可以访问它。该秘密是根据 Kubernetes 文档创建的：

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

kubectl create secret generic harborcred \
    --from-file=.dockerconfigjson=~/.docker/config.json \
    --type=kubernetes.io/dockerconfigjson \
    --namespace=k8s-test7

任何帮助将不胜感激！

Answer 1

您好，请先看看：

1. 更改图像源并使用一些公共的 f.e. nginx 验证您的部署没有其他问题。
   
2. https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 还提供有关检查“秘密”的更多详细信息。
   
3. 还请直接从您的节点执行与连接相关的其他测试，如本文所述 [How to debug "ImagePullBackOff"?

查找根本原因的其他步骤：

1. Convert your secrets data:
kubectl get secret harborcred -n k8s-test7 --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode 2. Compare the result of decoding your "auth" field from the 1 step with your docker credentials using:
echo "your auth data" | base64 --decode 3. To find the root cause please use also: kubectl get events -n k8s-test7 | grep pull

请与您的日志分享。