问题
I am trying to install Kubernetes 1.9.0 on a cluster of CentOS 7.3 systems running in VMware Workstation on Windows 7, following the "kubernetes-the-hard-way tutorial". When I get to the verification stage in the tutorial and try to start the busybox deployment (https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/12-dns-addon.md), the pod status remains stuck at "ContainerCreating".
The kubelet log for the node that the pod supposed to run on shows these error messages:
failed to get sandbox image \"gcr.io/google_containers/pause:3.0\":
failed to pull image \"gcr.io/google_containers/pause:3.0\":
failed to pull image \"gcr.io/google_containers/pause:3.0\":
httpReaderSeeker: failed open: failed to do request:
Get https://storage.googleapis.com/artifacts.google-containers.appspot.com/containers/images/sha256:f112334343777b75be77ec1f835e3bbbe7d7bd46e27b6a2ae35c6b3cfea0987c: x509: certificate signed by unknown authority
I added both of those domains to the list of insecure registries in /etc/docker/daemon.json:
{
"insecure-registries" : ["gcr.io"],
"insecure-registries" : ["googleapis.com"]
}
Docker is able to pull the image from the command line:
docker pull gcr.io/google_containers/pause:3.0
Trying to pull repository gcr.io/google_containers/pause ...
3.0: Pulling from gcr.io/google_containers/pause
a3ed95caeb02: Pull complete
f11233434377: Pull complete
Digest: sha256:0d093c962a6c2dd8bb8727b661e2b5f13e9df884af9945b4cc7088d9350cd3ee
Any ideas why the kubelet is unable to pull the image?
Thanks, TI
回答1:
The syntax for this in daemon.json is
"insecure-registries" : ["gcr.io" , "googleapis.com"]
"Also depending of the registries you are accessing, you may have to perform a "kubectl create secret docker-registry ..." action as explained here
Finally, you may have to define the certificate to docker by creating a new directory in /etc/docker/certs.d containing the certificates as explained here
来源:https://stackoverflow.com/questions/48611756/kubelet-failed-to-pull-image-x509-certificate-signed-by-unknown-authority