环境信息:
RKE2 版本:
v1.25.12 +rke2r1
节点 CPU 架构,操作系统和版本:
Linux rancher-k8s-master01 4.4.243-1.el7.elrepo.x86_64 #1 SMP Wed Nov 11 09:29:54 EST 2020 x86_64 x86_64 x86_64 GNU/Linux
集群配置:
1个 Control Plane, Etcd
2个 Worker
问题描述:
配置/etc/rancher/rke2/registries.yaml 后pod提示错误:
“harbor.jgdt.com.cn/rancher/nginx:latest”: failed to resolve reference “harbor.jgdt.com.cn/rancher/nginx:latest”: failed to do request: Head “https://harbor.jgdt.com.cn/v2/rancher/nginx/manifests/latest”: tls: failed to verify certificate: x509: certificate signed by unknown authority
重现步骤:
- 安装 RKE2 的命令:
在woker端配置私仓地址:
cat > /etc/rancher/rke2/registries.yaml << EOF
system-default-registry: "harbor.jgdt.com.cn:443"
mirrors:
docker.io:
endpoint:
- "https://harbor.jgdt.com.cn"
configs:
"harbor.jgdt.com.cn":
auth:
username: admin # this is the registry username
password: Harbor12345 # this is the registry password
tls:
cert_file: /data/cert/jgdt.com.cn.cert # path to the cert file used to authenticate to the registry
key_file: /data/cert/jgdt.com.cn.key # path to the key file for the certificate used to authenticate to the registry
ca_file: /data/cert/ca.crt # path to the ca file used to verify the registry's certificate
insecure_skip_verify: true # 跳过证书认证
EOF
创建pod的yaml:
cat nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: harbor.jgdt.com.cn/rancher/nginx
ports:
预期结果:
pod能正常从正常私仓harbor下载镜像,创建pod
实际结果:
pod能正常从正常私仓harbor下载镜像,Back-off pulling image “harbor.jgdt.com.cn/rancher/nginx”
Warning Failed 18s (x2 over 19s) kubelet Error: ImagePullBackOff
日志
[root@rancher-k8s-master01 manifests]# kubectl describe po nginx-deployment-79cb65b59-ksxt7
Name: nginx-deployment-79cb65b59-ksxt7
Namespace: default
Priority: 0
Service Account: default
Node: rancher-k8s-worker01/9.110.187.96
Start Time: Mon, 28 Aug 2023 21:48:21 +0800
Labels: app=nginx
pod-template-hash=79cb65b59
Annotations: cni.projectcalico.org/containerID: 4f25c7cb47653f8156258ad007f9b4dd2f243397aa9d1ab4eec1554567fcc80c
cni.projectcalico.org/podIP: 10.42.1.18/32
cni.projectcalico.org/podIPs: 10.42.1.18/32
Status: Pending
IP: 10.42.1.18
IPs:
IP: 10.42.1.18
Controlled By: ReplicaSet/nginx-deployment-79cb65b59
Containers:
nginx:
Container ID:
Image: harbor.jgdt.com.cn/rancher/nginx
Image ID:
Port: <none>
Host Port: <none>
State: Waiting
Reason: ImagePullBackOff
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-vcwt5 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-vcwt5:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 20s default-scheduler Successfully assigned default/nginx-deployment-79cb65b59-ksxt7 to rancher-k8s-worker01
Normal BackOff 18s (x2 over 19s) kubelet Back-off pulling image "harbor.jgdt.com.cn/rancher/nginx"
Warning Failed 18s (x2 over 19s) kubelet Error: ImagePullBackOff
Normal Pulling 6s (x2 over 20s) kubelet Pulling image "harbor.jgdt.com.cn/rancher/nginx"
Warning Failed 6s (x2 over 20s) kubelet Failed to pull image "harbor.jgdt.com.cn/rancher/nginx": rpc error: code = Unknown desc = failed to pull and unpack image "harbor.jgdt.com.cn/rancher/nginx:latest": failed to resolve reference "harbor.jgdt.com.cn/rancher/nginx:latest": failed to do request: Head "https://harbor.jgdt.com.cn/v2/rancher/nginx/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority
Warning Failed 6s (x2 over 20s) kubelet Error: ErrImagePull