minikube x509:由身份不明的机构签署的证书
minikube x509:由身份不明的机构签署的证书
提问于 2020-10-26 06:38:45
我正在使用minikube和kubectl为mongo创建一个RC。我正在使用公司的VPN。
通过RC命令创建kubectl create -f ./rc/mongo-rc.yaml。
在使用kubectl describe pod mongo-5zttk命令时获得以下kubernetes事件:
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7m18s default-scheduler Successfully assigned default/mongo-5zttk to minikube
Normal Pulling 5m42s (x4 over 7m17s) kubelet, minikube Pulling image "mongo"
Warning Failed 5m40s (x4 over 7m15s) kubelet, minikube Failed to pull image "mongo": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/library/mongo/manifests/latest: Get https://auth.docker.io/token?scope=repository%3Alibrary%2Fmongo%3Apull&service=registry.docker.io: x509: certificate signed by unknown authority
Warning Failed 5m40s (x4 over 7m15s) kubelet, minikube Error: ErrImagePull
Normal BackOff 5m29s (x6 over 7m15s) kubelet, minikube Back-off pulling image "mongo"
Warning Failed 2m8s (x21 over 7m15s) kubelet, minikube Error: ImagePullBackOff当我尝试使用curl访问网址时:
⚡ curl https://registry-1.docker.io/v2/library/mongo/manifests/latest
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/mongo","Action":"pull"}]}]}我可以成功地从停靠中心注册表中提取mongo:latest映像。
⚡ docker pull mongo:latest
latest: Pulling from library/mongo
Digest: sha256:efc408845bc917d0b7fd97a8590e9c8d3c314f58cee651bd3030c9cf2ce9032d
Status: Image is up to date for mongo:latest
docker.io/library/mongo:latest环境信息:
- 迷你版: v1.14.1
- kubectl
- 客户端版本: v1.18.8
- 服务器版本: v1.19.2
- 操作系统: macOS 10.13.6
我读过医生:proxy/#x509-certificate-signed-by-unknown-authority。解决方案是要求IT部门提供适当的PEM文件。如果我找不到PEM文件,有什么解决办法吗?例如使用一些命令标志:--skip-verify-cert
更新:
mongo-rc.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: mongo
spec:
replicas: 1
selector:
app: mongo
template:
metadata:
labels:
app: mongo
spec:
containers:
- name: mongo
image: mongo
ports:
- containerPort: 27017
env:
- name: MONGO_ROOT_PASSWORD
value: "123456"回答 2
Stack Overflow用户
发布于 2020-10-26 07:45:06
您应该能够使用--insecure-registry标志,但是您可能需要重新创建迷你库集群才能工作。
minikube start --insecure-registry="registry-1.docker.io"Stack Overflow用户
发布于 2022-10-18 15:24:56
尝试了很多东西,只有一个是为我工作的:
- 在shell中输入MK容器,创建一个文件(用于ex /root/docker.sh),其中包含以下条目:
update-ca-certificates --fresh
openssl s_client -showcerts -verify 5 -connect k8s.gcr.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/k8s.gcr.io.crt
openssl s_client -showcerts -verify 5 -connect registry-1.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/registry-1.docker.io.crt
openssl s_client -showcerts -verify 5 -connect auth.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/auth.docker.io.crt
cp ~/k8s.gcr.io.crt /usr/local/share/ca-certificates/
cp ~/registry-1.docker.io.crt /usr/local/share/ca-certificates/
cp ~/auth.docker.io.crt /usr/local/share/ca-certificates/
update-ca-certificates
# service docker restart- 只执行一次,或者将执行安全地添加到码头启动(/etc/init.d/ docker )
...
case "$1" in
start)
# <add-following-line>
/root/./docker.sh
# </add-following-line>
check_init
fail_unless_root
cgroupfs_mount
..页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/64532470
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号