关于使用容器镜像仓库的方法,请参考容器镜像仓库帮助文档。
例:注册表为myregistry,镜像仓库为myrepo,镜像版本号为latest,地域选择华北-北京为cn-north-1。用户可根据具体情况修改。
对于2020年7月1号以后新建集群用户不再需要手工创建令牌 对于2020年7月1号以后新建集群用户,集群已经默认集成了jdcloud-jcr-credential-cron任务自动拉取和更新镜像仓库的令牌,不再需要参考文档中手工创建令牌的方法 运行kubectl get secrets可以看到jcr-pull-secret 用户直接使用该令牌即可 例:
apiVersion: extensions/v1beta1 #1.16集群请换成 apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
run: nginx
template:
metadata:
labels:
run: nginx
spec:
containers:
- image: myregistry-cn-north-1.jcr.service.jdcloud.com/myrepo:latest
imagePullPolicy: Always
name: nginx
imagePullSecrets:
- name: jcr-pull-secret
对于一次性使用,临时令牌有效期内有效,有一定时效性
该方案只能实现某个注册表下的所有容器镜像的获取权限。
1、获取临时令牌,Docker客户端登录命令中,-p后面的一串字符串为docker-password的内容:
例:Docker客户端登录命令:docker login -u jdcloud -p cWj36rigll1J2k8u 1227-cn-north-1.jcr.service.jdcloud.com。即cWj36rigll1J2k8u为docker-password内容。
2、创建命名为my-secret的secret,执行以下命令,相关内容需要根据情况进行修改:
kubectl create secret docker-registry my-secret --docker-server=myregistry-cn-north-1.jcr.service.jdcloud.com --docker-username=jdcloud --docker-password=cWj36rigll1J2k8u --docker-email=l****@jd.com
例
apiVersion: extensions/v1beta1 #1.16集群请换成 apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
run: nginx
template:
metadata:
labels:
run: nginx
spec:
containers:
- image: myregistry-cn-north-1.jcr.service.jdcloud.com/myrepo:latest
imagePullPolicy: Always
name: nginx
imagePullSecrets:
- name: my-secret
对于长期使用,自动获取容器镜像仓库登录权限
该方案可以实现对该账户下所有注册表的容器镜像的获取权限。
1、把用户的Access Key和Access Key Secret进行base 64位编码:
printf 22BC1***********02C8C | base64 #22BC1***********02C8C为Access Key、Access Key Secret
输出内容即为Access Key和Access Key Secret进行base 64位编码:
2、创建secret.yaml文件:
vi secret.yaml
内容如下:
apiVersion: v1 kind: Secret metadata: name: c-tokens-fresher-secret type: Opaque data: ak: NE*******************xQjk= #需要修改成用户Access Key的base64位编码 sk: RU*******************4QTE= #需要修改成用户的Access Key Secret的base64编码
vi cronjob.yaml
内容如下:
apiVersion: batch/v1
kind: Job
metadata:
name: init-jcr-token-refresher
spec:
template:
metadata:
name: init-jcr-token-refresher
spec:
serviceAccountName: jcr-credential
restartPolicy: Never
hostNetwork: true
containers:
- name: init-jcr-token-refresher
env:
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
name: c-tokens-fresher-secret
key: ak
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: c-tokens-fresher-secret
key: sk
imagePullPolicy: IfNotPresent
image: jdcloud-cn-north-1.jcr.service.jdcloud.com/jdcloudiaas/jcrtoken:cronjob-14.6
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jcr-credential
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: jcr-credential-rbac
subjects:
- kind: ServiceAccount
name: jcr-credential
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: jdcloud-jcr-credential-cron
spec:
schedule: "*/5 * * * *"
successfulJobsHistoryLimit: 2
failedJobsHistoryLimit: 2
jobTemplate:
spec:
backoffLimit: 4
template:
spec:
serviceAccountName: jcr-credential
terminationGracePeriodSeconds: 0
restartPolicy: Never
hostNetwork: true
containers:
- name: jcr-token-refresher
env:
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
name: c-tokens-fresher-secret
key: ak
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: c-tokens-fresher-secret
key: sk
imagePullPolicy: IfNotPresent
image: jdcloud-cn-north-1.jcr.service.jdcloud.com/jdcloudiaas/jcrtoken:cronjob-14.6
4、执行以下命令,运行:
kubectl create -f secret.yaml kubectl create -f cronjob.yaml
例:
apiVersion: extensions/v1beta1 #1.16集群请换成 apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: nginx
name: nginx
spec:
replicas: 1
selector:
matchLabels:
run: nginx
template:
metadata:
labels:
run: nginx
spec:
containers:
- image: myregistry-cn-north-1.jcr.service.jdcloud.com/myrepo:latest
imagePullPolicy: Always
name: nginx
imagePullSecrets:
- name: jcr-pull-secret