私有注册表

本指南讨论如何将 kind 与需要身份验证的镜像注册表一起使用。

有多种方法可以做到这一点，我们将在本文档中进行介绍。

目录 🔗︎

使用 ImagePullSecrets 🔗︎

Kubernetes 支持配置 pod 以使用 imagePullSecrets 来拉取镜像。如果可能，这是首选且最可移植的路线。

请参阅上游 Kubernetes 文档，kind 不需要任何特殊处理即可使用它。

如果您已经在本地拥有配置文件，但仍想使用密钥，请阅读 Kubernetes 文档以了解如何从文件创建密钥。

拉取到主机并侧载 🔗︎

kind 可以从主机加载镜像，使用 kind load ... 命令。如果您在主机上配置了凭据以拉取所需的镜像，然后将它们加载到节点，则可以避免在节点上进行身份验证。

将凭据添加到节点 🔗︎

通常，使用私有注册表的上游文档适用，在 kind 中，有两种方法可以做到这一点。

将配置文件挂载到每个节点 🔗︎

如果您在主机上预先创建了一个包含凭据的 docker config.json 文件，则可以将其挂载到每个 kind 节点。

假设您的文件位于 /path/to/my/secret.json，则 kind 配置将为


`kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane extraMounts: - containerPath: /var/lib/kubelet/config.json hostPath: /path/to/my/secret.json`

使用访问令牌 🔗︎

可以在运行时以编程方式将凭据添加到节点。

如果您这样做，则必须在每个节点上重新启动 kubelet 以获取新的凭据。

在主机上使用访问令牌生成 gcr.io 凭据文件的示例 shell 代码段

#!/bin/sh set -o errexit # 目标集群名称；默认值为“kind” KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}" # 为 docker 配置创建一个临时文件 echo "正在创建临时 docker 客户端配置目录..." DOCKER_CONFIG=$(mktemp -d) export DOCKER_CONFIG trap 'echo "Removing ${DOCKER_CONFIG}/*" && rm -rf ${DOCKER_CONFIG:?}' EXIT echo "正在创建临时 config.json" # 这是为了强制省略 credsStore，credsStore 会在支持的系统上自动创建。 # 如果缺少 credsStore，则“docker login”会将密码存储在 config.json 文件中。 # https://docs.docker.net.cn/engine/reference/commandline/login/#credentials-store cat <<EOF >"${DOCKER_CONFIG}/config.json" { "auths": { "gcr.io": {} } } EOF # 使用访问令牌登录 DOCKER_CONFIG 中的 gcr # https://cloud.google.com/container-registry/docs/advanced-authentication#access_token echo "正在使用临时 docker 客户端配置目录登录 GCR..." gcloud auth print-access-token | \ docker login -u oauth2accesstoken --password-stdin https://gcr.io # 在每个节点上设置凭据 echo "正在将凭据移动到 kind 集群名称='${KIND_CLUSTER_NAME}' 节点..." for node in $(kind get nodes --name "${KIND_CLUSTER_NAME}"); do # -oname 格式为 kind/name（因此为 node/name）我们只需要 name node_name=${node#node/} # 将配置复制到 kubelet 将查找的位置 docker cp "${DOCKER_CONFIG}/config.json" "${node_name}:/var/lib/kubelet/config.json" # 重新启动 kubelet 以获取配置 docker exec "${node_name}" systemctl restart kubelet.service done echo "完成！"

examples/kind-gcr.sh
#!/bin/sh set -o errexit # desired cluster name; default is "kind" KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}" # create a temp file for the docker config echo "Creating temporary docker client config directory ..." DOCKER_CONFIG=$(mktemp -d) export DOCKER_CONFIG trap 'echo "Removing ${DOCKER_CONFIG}/*" && rm -rf ${DOCKER_CONFIG:?}' EXIT echo "Creating a temporary config.json" # This is to force the omission of credsStore, which is automatically # created on supported system. With credsStore missing, "docker login" # will store the password in the config.json file. # https://docs.docker.net.cn/engine/reference/commandline/login/#credentials-store cat <<EOF >"${DOCKER_CONFIG}/config.json" { "auths": { "gcr.io": {} } } EOF # login to gcr in DOCKER_CONFIG using an access token # https://cloud.google.com/container-registry/docs/advanced-authentication#access_token echo "Logging in to GCR in temporary docker client config directory ..." gcloud auth print-access-token \| \ docker login -u oauth2accesstoken --password-stdin https://gcr.io # setup credentials on each node echo "Moving credentials to kind cluster name='${KIND_CLUSTER_NAME}' nodes ..." for node in $(kind get nodes --name "${KIND_CLUSTER_NAME}"); do # the -oname format is kind/name (so node/name) we just want name node_name=${node#node/} # copy the config to where kubelet will look docker cp "${DOCKER_CONFIG}/config.json" "${node_name}:/var/lib/kubelet/config.json" # restart kubelet to pick up the config docker exec "${node_name}" systemctl restart kubelet.service done echo "Done!"

examples/kind-gcr.sh

#!/bin/sh
set -o errexit

# desired cluster name; default is "kind"
KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}"

# create a temp file for the docker config
echo "Creating temporary docker client config directory ..."
DOCKER_CONFIG=$(mktemp -d)
export DOCKER_CONFIG
trap 'echo "Removing ${DOCKER_CONFIG}/*" && rm -rf ${DOCKER_CONFIG:?}' EXIT

echo "Creating a temporary config.json"
# This is to force the omission of credsStore, which is automatically
# created on supported system. With credsStore missing, "docker login"
# will store the password in the config.json file.
# https://docs.docker.net.cn/engine/reference/commandline/login/#credentials-store
cat <<EOF >"${DOCKER_CONFIG}/config.json"
{
 "auths": { "gcr.io": {} }
}
EOF
# login to gcr in DOCKER_CONFIG using an access token
# https://cloud.google.com/container-registry/docs/advanced-authentication#access_token
echo "Logging in to GCR in temporary docker client config directory ..."
gcloud auth print-access-token | \
  docker login -u oauth2accesstoken --password-stdin https://gcr.io

# setup credentials on each node
echo "Moving credentials to kind cluster name='${KIND_CLUSTER_NAME}' nodes ..."
for node in $(kind get nodes --name "${KIND_CLUSTER_NAME}"); do
  # the -oname format is kind/name (so node/name) we just want name
  node_name=${node#node/}
  # copy the config to where kubelet will look
  docker cp "${DOCKER_CONFIG}/config.json" "${node_name}:/var/lib/kubelet/config.json"
  # restart kubelet to pick up the config
  docker exec "${node_name}" systemctl restart kubelet.service
done

echo "Done!"

使用服务帐户 🔗︎

访问令牌的有效期很短，因此您可能更喜欢使用服务帐户和密钥文件。首先，从控制台下载密钥或使用 gcloud 生成密钥

gcloud iam service-accounts keys create <output.json> --iam-account <account email>

然后，将访问令牌代码段中的 gcloud auth print-access-token | ... 行替换为

cat <output.json> | docker login -u _json_key --password-stdin https://gcr.io

有关密钥文件身份验证的更多详细信息，请参阅 Google 的上游文档。

使用证书 🔗︎

如果您有一个使用证书进行身份验证的注册表，并且证书和密钥都位于您的主机文件夹中，则可以将它们挂载到 containerd 插件中，并修补默认配置，例如以下示例


kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane # This option mounts the host docker registry folder into # the control-plane node, allowing containerd to access them. extraMounts: - containerPath: /etc/docker/certs.d/registry.dev.example.com hostPath: /etc/docker/certs.d/registry.dev.example.com containerdConfigPatches: - \|- [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.dev.example.com".tls] cert_file = "/etc/docker/certs.d/registry.dev.example.com/ba_client.cert" key_file = "/etc/docker/certs.d/registry.dev.example.com/ba_client.key"

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
  - role: control-plane
    # This option mounts the host docker registry folder into
    # the control-plane node, allowing containerd to access them. 
    extraMounts:
      - containerPath: /etc/docker/certs.d/registry.dev.example.com
        hostPath: /etc/docker/certs.d/registry.dev.example.com
containerdConfigPatches:
  - |-
    [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.dev.example.com".tls]
      cert_file = "/etc/docker/certs.d/registry.dev.example.com/ba_client.cert"
      key_file  = "/etc/docker/certs.d/registry.dev.example.com/ba_client.key"