TLS:拉取镜像验证失败
文档
- https://github.com/containerd/containerd/blob/main/docs/hosts.md#cri
- https://github.com/containerd/containerd/blob/main/docs/hosts.md#bypass-tls-verification-example
- https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
问题描述
kubectl -n <namespace> get pods显示 Pod 状态为ImagePullBackOffKubernetes拉取的镜像域名证书在当前系统上不受信任,无法拉取镜像shelltls: failed to verify certificate: x509: certificate signed by unknown authorityshell[root@anolis-7-7 ~]# kubectl describe pod test ...... Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 3s default-scheduler Successfully assigned default/test to k8s-1 Normal Pulling 2s kubelet Pulling image "xuxiaowei.io/cn-com-xuxiaowei/dynamic-ho-spring-boot2:0.0.1-SNAPSHOT-20240923082744-2" Warning Failed 2s kubelet Failed to pull image "xuxiaowei.io/cn-com-xuxiaowei/dynk-relay-spring-boot2:0.0.1-SNAPSHOT-20240923082744-2": failed to pull and unpack image "xuxiaowei.io/cxiaowei/dynamic-hook-relay-spring-boot2:0.0.1-SNAPSHOT-20240923082744-2": failed to resolve reference ei.io/cn-com-xuxiaowei/dynamic-hook-relay-spring-boot2:0.0.1-SNAPSHOT-20240923082744-2": failed to do Head "https://xuxiaowei.io/v2/cn-com-xuxiaowei/dynamic-hook-relay-spring-boot2/manifests/0.0.1-SNAPSH923082744-2": tls: failed to verify certificate: x509: certificate signed by unknown authority Warning Failed 2s kubelet Error: ErrImagePull Normal BackOff 1s kubelet Back-off pulling image "xuxiaowei.io/cn-com-xuxiaowei/dook-relay-spring-boot2:0.0.1-SNAPSHOT-20240923082744-2" Warning Failed 1s kubelet Error: ImagePullBackOff [root@anolis-7-7 ~]#
解决方案
提示
- 下列内容以
Kubernetes拉取xuxiaowei.io域名下的镜像TLS验证失败为例 - 如果有端口,下列配置中,需要携带端口,如:
xuxiaowei.io:8443
查看
containerd配置文件/etc/containerd/config.toml中的config_pathshellcat /etc/containerd/config.toml | grep config_path创建
/etc/containerd/certs.d文件夹shellsudo mkdir -p /etc/containerd/certs.d将
config_path配置为/etc/containerd/certs.d,并重启containerdshellsystemctl restart containerd创建
域名域名证书的配置文件shell