I will summarize the procedure when I tried to create a Kubernetes pod from the image of the container registry of GitLab for skill acquisition. * The red part in the figure below. The image to be pulled for trial includes nginx.
・ Kubernetes cluster has been built ・ GitLab has been built ・ The version of the environment I tried is as follows CentOS:7.3 Kubernetes:1.18.2 Calico:3.13.3 Docker:1.13.1-109 GitLab:11.6.8
https://docs.docker.com/registry/insecure/ https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
As a preparation, place the certificate and set the access information to the container registry.
Place the certificate to access the container registry from Docker.
Implemented on each K8s node
# sudo mkdir -p /etc/docker/certs.d/registry.test01.com
# sudo cp cert.crt /etc/docker/certs.d/registry.test01.com/ca.crt
cert.crt ・ ・ ・ Certificate used to access GitLab Container Registry
If the certificate you placed was a self-signed certificate, you had to configure Docker to allow it.
/etc/docker/daemon.json
{
"insecure-registries": ["registry.test01.com"]
}
Restart Docker for it to take effect.
systemctl restart docker
Register the information for accessing the container registry in K8s. First, log in to the container registry from Docker.
k8s master node
#docker login registry.test01.com
Username: <Username when accessing the container registry>
Password: <Password corresponding to the above user name>
Login Succeeded
Check the config.json file generated by the above login.
python
# cat ~/.docker/config.json
{
"auths": {
"registry.test01.com": {
"auth": "***************************="
}
}
Create a Secret for the cluster connection that contains the authentication token.
# kubectl create secret docker-registry regcred --docker-server=registry.test01.com --docker-username=<Container registry username> --docker-password=<Container registry usernameに対応するパスワード>
secret/regcred created
Set the service settings for accessing the container via the network and the pod settings that use the container image.
Create access information to the pod as follows. Associate the external 30080 port with the nginx port 80 on the container side.
testapp01-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: testapp01-np
spec:
selector:
app:testapp01 ← Match this with the definition of pod
ports:
- targetPort:80 ← Container receiving port(nginx)
port: 8080
nodePort:30080 ← Port used when accessing from the outside. "Node IP" when accessing from the outside:Specify the port number specified here.
protocol: "TCP"
type: NodePort
Apply the above file.
python
# kubectl apply -f testapp01-svc.yaml
Check the application result.
# kubectl get services testapp01-np
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
testapp01-np NodePort xx.xx.xx.xx <none> 8080:30080/TCP 4d2h
Create an Ipod manifest file as shown below.
testapp01.yaml
apiVersion: v1
kind: Pod
metadata:
name: testapp01
labels:
app:testapp01 ← Label for linking with services
spec:
containers:
- name: testapp01-container
image: registry.test01.com/test/testapp01:latest ← Image to apply
ports:
- containerPort:80 ← App port used in the container
imagePullSecrets:
- name:regcred ← Secret created in preparation for deployment
Apply the above file.
# kubectl create -f testapp01.yaml
pod/testapp01 created
Make sure the pod is "Running".
# kubectl get pod testapp01
NAME READY STATUS RESTARTS AGE
testapp01 1/1 Running 0 4s
Finally, try accessing the app and check the operation. This time, I accessed the following URL from an external browser and confirmed it.
http://[podが起動しているノードのIP]:30080
It took a long time to investigate because I had to deal with it because I used a self-signed certificate, but I was able to link GitLab, the container registry, and K8s relatively easily.
Recommended Posts