1, kubernetes configure pod to access private harbor

When applying the image in the harbor private library from the yaml file, if you do not create a secret, a 401 Unauthorized error will appear.

Here, take running nginx pod and downloading nginx images in kubernetes, the private library of harbor, as an example, and list the steps for kubernetes to configure pod to access private harbor.

• 1. Bind hosts on the machine with docker environment and log in to harbor

vim /etc/hosts
# Add:
172.16.108.7   harbor domain name

docker login harbor domain name
Username: ******
Password: ****** 

• 2. The official docker hub downloads the nginx image, modifies the label and uploads it to the local harbor

# Search and download images
docker search nginx
docker pull nginx
# Modify the kubernetes warehouse labeled local harbor
docker tag nginx:latest harbor domain name/kubernetes/nginx:latest
# Upload this image to kubernetes, a private warehouse in harbor
docker push harbor domain name/kubernetes/nginx:latest 

• 3. To create a new robot account in kubernetes, a private library in harbor, you can select permissions. Generally, only pull permissions are sufficient

• 4. Create a secret using the username and token generated by the newly created robot account
  The kubernetes cluster uses a secret of docker registry type to authenticate the repository and extract private images

kubectl create secret docker-registry docker-registry-creds --docker-server="harbor domain name"
--docker-email=test@test.com 
--docker-username='******' 
--docker-password='******'

be careful:

--docker-server It's private docker Warehouse fully qualified domain name(FQDN)
--docker-username It's a robot account username，It needs to be enclosed in single quotes.
--docker-password It is generated by the robot account token，It needs to be enclosed in single quotes.
--docker-email yes docker Mailbox (not required).
In this way, the docker Set credentials to named docker-registry-creds of secret. 

• 5. Create nginx pod

vim nginx.yaml

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: harbor domain name/kubernetes/nginx:latest 
    ports:
    - containerPort: 80
  imagePullSecrets:
    - name: docker-registry-creds

Use imagePullSecrets to reference the newly created docker registry creds

# View the created secret
kubectl get secrets
# Create nginx pod   
kubectl apply -f nginx.yaml 
# View created pod s   
kubectl get pods
# View details of nginx pod
kubectl describe pod nginx    

In this way, you can use the image in the harbor private library when running the yaml file that creates the pod.

2, Different namespece s are configured with different secrets. pod uses secret to access private harbor

In many cases, namespaces are used to realize multi tenant resource isolation. By allocating resource objects within the cluster to different namespaces, different projects, groups or user groups are logically grouped, so that different groups can be managed separately while sharing and using the resources of the whole cluster.

If the namespace is not specified, the pod, RC and service created by the user will be created by the system into the default namespace named default.

Here, take the namespace named test namespace and the secret named test secret as an example to list the steps to create different namespaces and use different secrets to access the harbor private warehouse.

• 1. Create a namespace

Command mode creation:

kubectl create namespace test-namespace
kubectl get namespaces

yaml file creation:

vim test-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: test-namespace
  labels:
    name: test-namespace

kubectl apply -f test-namespace.yaml
 or 
kubectl create –f test-namespace.yaml

• 2. Create a robot account named test secret on the harbor page

• 3. Generally, the created secret is in the default namespace default. Here, create the secret under default first

# Create command
kubectl create secret docker-registry test-secret --docker-server="harbor domain name" 
--docker-email=test@test.com 
--docker-username='******' 
--docker-password='******'
-n test-namespace   

# --All namespace can view the secrets under all namespaces
kubectl get secrets --all-namespaces
# -n parameter to view the secret under the specified namespace
kubectl get secrets -n test-namespace

Note: the value of. dockerconfigjson includes the user name and password of logging in to harbor. You can view it through the following command

kubectl get secret test-secret -n test-namespace --output="jsonpath={.data.\.dockerconfigjson}"|base64 -d

# The output result is
{"auths":{"harbor.pwesports.net":{"username":"robot$kubernetes+test-secret","password":"jjFu85zTNG6AOSvfoNzPU7pt95v0LmIB","email":"zhangyiwen117968@pwrd.com","auth":"cm9ib3Qka3ViZXJuZXRlcyt0ZXN0LXNlY3JldDpqakZ1ODV6VE5HNkFPU3Zmb056UFU3cHQ5NXYwTG1JQg=="}}}

• 4. When creating nginx pod under this namespace, use imagePullSecrets to reference the test secret under the test namespace just created

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: test-namespace
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: harbor.pwesports.net/kubernetes/nginx:latest 
    ports:
    - containerPort: 80
  imagePullSecrets:
- name: test-secret

# View pod
kubectl get pods -n test-namespace

You can see that nginx pod s are created successfully. The creation of different pods is the same, realizing resource isolation and permission control in different namespace s.

3, kubectl patch realizes automatic association

The above has implemented resource isolation and permission control when using different secrets to access the harbor private warehouse under different namespaces, but each time you create a pod, you need to reference the secret under the corresponding namespace through the imagePullSecrets field, which is obviously inconvenient. Here, you can associate the namespace with the corresponding secret through the kubectl patch command to avoid cumbersome work.

Take test namespace and test secret as examples. The associated commands are:

kubectl patch serviceaccount default -n test-namespace -p '{"imagePullSecrets":[{"name":"test-secret"}]}'

# View Details:
kubectl get pod nginx -n test-namespace -o yaml

spec:
  containers:
  - image: harbor.pwesports.net/kubernetes/nginx:latest
    imagePullPolicy: Always
    name: nginx
    ports:
    - containerPort: 80
      protocol: TCP
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-zwvwv
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  imagePullSecrets:
  - name: test-secret

In this way, all pod s in this namespace do not need to specify secrets when they are created.

Reference documents:

https://kubernetes.io/zh/docs/concepts/configuration/secret/
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#patch
https://docs.rackspace.com/docs/rkaas/v2.1.x/external/rkaas-userguide/configure-docker-registry