Bar*_*rak 6 kubernetes aws-ecr
第1步 sudo $(aws ecr get-login --no-include-email --region xx-xxxx-x)
第2步 curl -LSs https://github.com/fermayo/ecr-k8s-secret/raw/master/gen-secret.sh | bash -
第 3 步 kubectl describe secret aws-ecr-credentials
Name: aws-ecr-credentials
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
.dockerconfigjson: 32 bytes
第四步 kubectl describe pod x
警告 5s kubelet 失败,ip-10-46-250-151 无法拉取映像“my-account.dkr.ecr.us-east-1.amazonaws.com/my-image:latest”:rpc 错误:代码 = 未知desc = 来自守护进程的错误响应:获取https://my-account.dkr.ecr.us-east-1.amazonaws.com/my-image/latest:没有基本的身份验证凭据
为什么pod拉不下图片?
Bar*_*rak 13
创建了一个从 AWS-ECR 中提取令牌的脚本
ACCOUNT=xxxxxxxxxxxx
REGION=xx-xxxx-x
SECRET_NAME=${REGION}-ecr-registry
EMAIL=email@email.com
#
#
TOKEN=`aws ecr --region=$REGION get-authorization-token --output text \
--query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`
#
# Create or replace registry secret
#
kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
--docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password="${TOKEN}" \
--docker-email="${EMAIL}"
并创建了一个 Linux cronjob 每 10 小时运行一次
您的部署清单需要指定容器注册表凭据处于秘密状态。这就像添加一样简单imagePullSecrets:
apiVersion: v1
kind: Deployment
metadata:
name: deployment-name
spec:
containers:
- image: your-registry/image/name:tag
imagePullSecrets:
- name: secret-name