1、容器镜像仓库Harbor部署
-
在docker主机部署Harbor,安装过程比较简单
-
在k8s集群中部署Harbor
2、使用Harbor仓库
2.1 通过secret使用Harbor仓库
新建私有仓库
集权所有节点配置harbor仓库
# cat /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["http://192.168.16.132"]
}
# systemctl restart docker
harbor服务器上传镜像到仓库上
# docker pull nginx:1.15-alpine
docker.io/library/nginx:1.15-alpine
# docker login 192.168.16.132
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# docker tag nginx:1.15-alpine 192.168.16.132/test/nginx:v1
# docker push 192.168.16.132/test/nginx:v1
创建secret-registry类型的secret
# kubectl create secret docker-registry harbor-secret --docker-server=192.168.16.132 --docker-username=admin --docker-password=12345
创建Pod并使用secret
# cat pod-harbor.yml
apiVersion: v1
kind: Pod
metadata:
name: pod-harbor
spec:
containers:
- name: c1
image: 192.168.16.132/test/nginx:v1
imagePullSecrets:
- name: harbor-secret
2.2 通过serviceaccount使用Harbor仓库
创建serviceaccount
# cat serviceaccount-harbor-sa.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: harbor-sa
修改serviceaccoun添加使用harbor-secret
# kubectl patch serviceaccount harbor-sa -n default -p '{"imagePullSecrets": [{"name": "harbor-secret"}]}'
# kubectl describe sa harbor-sa
Name: harbor-sa
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: harbor-secret
Mountable secrets: harbor-sa-token-gshff
Tokens: harbor-sa-token-gshff
Events: <none>
创建Pod使用serviceaccount
# cat pod-harbor.yml
apiVersion: v1
kind: Pod
metadata:
name: pod-harbor
spec:
serviceAccount: harbor-sa
containers:
- name: c1
image: 192.168.16.132/test/nginx:v1