github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #18777 from erictune/image-doc-fix

Browse Source 
Auto commit by PR queue bot
This commit is contained in:
k8s-merge-robot 2015-12-18 10:37:19 -08:00
commit ae2fbc6daf
3 changed files with 31 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docs/user-guide/images.md
View File

@ -105,18 +105,18 @@ with credentials for Google Container Registry. You cannot use this approach.
will not work reliably on GCE, and any other cloud provider that does automatic will not work reliably on GCE, and any other cloud provider that does automatic
node replacement. node replacement.
Docker stores keys for private registries in the `$HOME/.dockercfg` file. If you put this Docker stores keys for private registries in the `$HOME/.dockercfg` or `$HOME/.docker/config.json` file. If you put this
in the `$HOME` of `root` on a kubelet, then docker will use it. in the `$HOME` of user `root` on a kubelet, then docker will use it.
Here are the recommended steps to configuring your nodes to use a private registry. In this Here are the recommended steps to configuring your nodes to use a private registry. In this
example, run these on your desktop/laptop: example, run these on your desktop/laptop:
1. run `docker login [server]` for each set of credentials you want to use. 1. run `docker login [server]` for each set of credentials you want to use. This updates `$HOME/.docker/config.json`.
1. view `$HOME/.dockercfg` in an editor to ensure it contains just the credentials you want to use. 1. view `$HOME/.docker/config.json` in an editor to ensure it contains just the credentials you want to use.
1. get a list of your nodes, for example: 1. get a list of your nodes, for example:
- if you want the names: `nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')` - if you want the names: `nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')`
- if you want to get the IPs: `nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')` - if you want to get the IPs: `nodes=$(kubectl get nodes -o jsonpath='{range .items[*].status.addresses[?(@.type=="ExternalIP")]}{.address} {end}')`
1. copy your local `.dockercfg` to the home directory of root on each node. 1. copy your local `.docker/config.json` to the home directory of root on each node.
- for example: `for n in $nodes; do scp ~/.dockercfg root@$n:/root/.dockercfg; done` - for example: `for n in $nodes; do scp ~/.docker/config.json root@$n:/root/.docker/config.json; done`
Verify by creating a pod that uses a private image, e.g.: Verify by creating a pod that uses a private image, e.g.:
@ -153,12 +153,12 @@ $ kubectl describe pods/private-image-test-1 | grep "Failed"
``` ```
You must ensure all nodes in the cluster have the same `.dockercfg`. Otherwise, pods will run on You must ensure all nodes in the cluster have the same `.docker/config.json`. Otherwise, pods will run on
some nodes and fail to run on others. For example, if you use node autoscaling, then each instance some nodes and fail to run on others. For example, if you use node autoscaling, then each instance
template needs to include the `.dockercfg` or mount a drive that contains it. template needs to include the `.docker/config.json` or mount a drive that contains it.
All pods will have read access to images in any private registry once private All pods will have read access to images in any private registry once private
registry keys are added to the `.dockercfg`. registry keys are added to the `.docker/config.json`.
**This was tested with a private docker repository as of 26 June with Kubernetes version v0.19.3. **This was tested with a private docker repository as of 26 June with Kubernetes version v0.19.3.
It should also work for a private registry such as quay.io, but that has not been tested.** It should also work for a private registry such as quay.io, but that has not been tested.**
@ -190,21 +190,21 @@ where node creation is automated.
Kubernetes supports specifying registry keys on a pod. Kubernetes supports specifying registry keys on a pod.
First, create a `.dockercfg`, such as running `docker login <registry.domain>`. First, create a `.docker/config.json`, such as by running `docker login <registry.domain>`.
Then put the resulting `.dockercfg` file into a [secret resource](secrets.md). For example: Then put the resulting `.docker/config.json` file into a [secret resource](secrets.md). For example:
```console ```console
$ docker login $ docker login
Username: janedoe Username: janedoe
Password: ●●●●●●●●●●● Password: ●●●●●●●●●●●
Email: jdoe@example.com Email: jdoe@example.com
WARNING: login credentials saved in /Users/jdoe/.dockercfg. WARNING: login credentials saved in /Users/jdoe/.docker/config.json.
Login Succeeded Login Succeeded
$ echo $(cat ~/.dockercfg) $ echo $(cat ~/.docker/config.json)
{ "https://index.docker.io/v1/": { "auth": "ZmFrZXBhc3N3b3JkMTIK", "email": "jdoe@example.com" } } { "https://index.docker.io/v1/": { "auth": "ZmFrZXBhc3N3b3JkMTIK", "email": "jdoe@example.com" } }
$ cat ~/.dockercfg | base64 $ cat ~/.docker/config.json | base64
eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K
$ cat > /tmp/image-pull-secret.yaml <<EOF $ cat > /tmp/image-pull-secret.yaml <<EOF
@ -213,20 +213,19 @@ kind: Secret
metadata: metadata:
name: myregistrykey name: myregistrykey
data: data:
.dockercfg: eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K .dockerconfigjson: eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K
type: kubernetes.io/dockercfg type: kubernetes.io/dockerconfigjson
EOF EOF
$ kubectl create -f /tmp/image-pull-secret.yaml $ kubectl create -f /tmp/image-pull-secret.yaml
secrets/myregistrykey secrets/myregistrykey
$
``` ```
If you get the error message `error: no objects passed to create`, it may mean the base64 encoded string is invalid. If you get the error message `error: no objects passed to create`, it may mean the base64 encoded string is invalid.
If you get an error message like `Secret "myregistrykey" is invalid: data[.dockercfg]: invalid value ...` it means If you get an error message like `Secret "myregistrykey" is invalid: data[.dockerconfigjson]: invalid value ...` it means
the data was successfully un-base64 encoded, but could not be parsed as a dockercfg file. the data was successfully un-base64 encoded, but could not be parsed as a `.docker/config.json` file.
This process only needs to be done one time (per namespace). This process needs to be done one time per namespace, or to any non-default service accounts you create.
Now, you can create pods which reference that secret by adding an `imagePullSecrets` Now, you can create pods which reference that secret by adding an `imagePullSecrets`
section to a pod definition. section to a pod definition.
@ -253,7 +252,7 @@ pulled using imagePullSecrets. That is, imagePullSecrets does *NOT* protect you
images from being seen by other users in the cluster. Our intent images from being seen by other users in the cluster. Our intent
is to fix that. is to fix that.
You can use this in conjunction with a per-node `.dockerfile`. The credentials You can use this in conjunction with a per-node `.docker/config.json`. The credentials
will be merged. This approach will work on Google Container Engine (GKE). will be merged. This approach will work on Google Container Engine (GKE).
### Use Cases ### Use Cases
@ -269,7 +268,7 @@ common use cases and suggested solutions.
visible to all cluster users. visible to all cluster users.
- Use a hosted private [Docker registry](https://docs.docker.com/registry/) - Use a hosted private [Docker registry](https://docs.docker.com/registry/)
- may be hosted on the [Docker Hub](https://hub.docker.com/account/signup/), or elsewhere. - may be hosted on the [Docker Hub](https://hub.docker.com/account/signup/), or elsewhere.
- manually configure .dockercfg on each node as described above - manually configure .docker/config.json on each node as described above
- Or, run an internal private registry behind your firewall with open read access. - Or, run an internal private registry behind your firewall with open read access.
- no Kubernetes configuration required - no Kubernetes configuration required
- Or, when on GCE/GKE, use the project's Google Container Registry. - Or, when on GCE/GKE, use the project's Google Container Registry.

16
docs/user-guide/production-pods.md
View File

@ -155,21 +155,21 @@ For more details, see the [secrets document](secrets.md), [example](secrets/) an
Secrets can also be used to pass [image registry credentials](images.md#using-a-private-registry). Secrets can also be used to pass [image registry credentials](images.md#using-a-private-registry).
First, create a `.dockercfg` file, such as running `docker login <registry.domain>`. First, create a `.docker/config.json`, such as by running `docker login <registry.domain>`.
Then put the resulting `.dockercfg` file into a [secret resource](secrets.md). For example: Then put the resulting `.docker/config.json` file into a [secret resource](secrets.md). For example:
```console ```console
$ docker login $ docker login
Username: janedoe Username: janedoe
Password: ●●●●●●●●●●● Password: ●●●●●●●●●●●
Email: jdoe@example.com Email: jdoe@example.com
WARNING: login credentials saved in /Users/jdoe/.dockercfg. WARNING: login credentials saved in /Users/jdoe/.docker/config.json.
Login Succeeded Login Succeeded
$ echo $(cat ~/.dockercfg) $ echo $(cat ~/.docker/config.json)
{ "https://index.docker.io/v1/": { "auth": "ZmFrZXBhc3N3b3JkMTIK", "email": "jdoe@example.com" } } { "https://index.docker.io/v1/": { "auth": "ZmFrZXBhc3N3b3JkMTIK", "email": "jdoe@example.com" } }
$ cat ~/.dockercfg | base64 $ cat ~/.docker/config.json | base64
eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K
$ cat > /tmp/image-pull-secret.yaml <<EOF $ cat > /tmp/image-pull-secret.yaml <<EOF
@ -178,11 +178,11 @@ kind: Secret
metadata: metadata:
name: myregistrykey name: myregistrykey
data: data:
.dockercfg: eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K .dockerconfigjson: eyAiaHR0cHM6Ly9pbmRleC5kb2NrZXIuaW8vdjEvIjogeyAiYXV0aCI6ICJabUZyWlhCaGMzTjNiM0prTVRJSyIsICJlbWFpbCI6ICJqZG9lQGV4YW1wbGUuY29tIiB9IH0K
type: kubernetes.io/dockercfg type: kubernetes.io/dockerconfigjson
EOF EOF
$ kubectl create -f ./image-pull-secret.yaml $ kubectl create -f /tmp/image-pull-secret.yaml
secrets/myregistrykey secrets/myregistrykey
``` ```

2
docs/user-guide/service-accounts.md
View File

@ -168,7 +168,7 @@ Next, verify it has been created. For example:
```console ```console
$ kubectl get secrets myregistrykey $ kubectl get secrets myregistrykey
NAME TYPE DATA NAME TYPE DATA
myregistrykey kubernetes.io/dockercfg 1 myregistrykey kubernetes.io/.dockerconfigjson 1
``` ```
Next, read/modify/write the service account for the namespace to use this secret as an imagePullSecret Next, read/modify/write the service account for the namespace to use this secret as an imagePullSecret