1、镜像拉取策略
IfNotPresent:默认值,镜像在宿主机上不存在时才拉取
Always:每次创建Pod 都会重新拉取一次镜像
Never:Pod 永远不会主动拉取这个镜像
注意:如果省略imagePullPolicy 镜像tag为 :latest 策略为always ,否则 策略为 IfNotPresent
配置:
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: awesomeapps
spec:
containers:
- name: foo
image: janedoe/awesomeapp:v1
imagePullPolicy: IfNotPresent #配置拉取策略
2、镜像拉取权限
如果镜像仓库的拉取镜像权限需要登录,那么就需要配置才imagePullSecrets:能进行拉取
登录镜像仓库后,会生产一个/root/.docker/config.json配置文件:
[root@k8s-node04 ~]# docker login 10.16.8.152 [root@k8s-node04 ~]# cat .docker/config.json { "auths": { "10.16.8.152": { "auth": "eHc6WGlhbmd3ZWkxMjM0NTY=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.4 (linux)" } }
把这个文件编码成一个base64的字符串:
[root@k8s-node04 ~]# cat .docker/config.json |base64 -w 0 ewoJImF1dGhzIjogewoJCSIxMC4xNi44LjE1MiI6IHsKCQkJImF1dGgiOiAiZUhjNldHbGhibWQzWldreE1qTTBOVFk9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy40IChsaW51eCkiCgl9Cn0=
在k8s中注册一个secert:
[root@k8s-master01-etcd01 yaml]# cat registry-pull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-pull-secret
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxMC4xNi44LjE1MiI6IHsKCQkJImF1dGgiOiAiZUhjNldHbGhibWQzWldreE1qTTBOVFk9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOC4wOS4wIChsaW51eCkiCgl9Cn0=
type: kubernetes.io/dockerconfigjson
#注册secert
[root@k8s-master01-etcd01 yaml]# kubectl create -f registry-pull-secret.yaml
secret/registry-pull-secret created
#查看 secret
[root@k8s-master01-etcd01 yaml]# kubectl get secrets NAME TYPE DATA AGE default-token-6wrdx kubernetes.io/service-account-token 3 3d6h registry-pull-secret kubernetes.io/dockerconfigjson 1 43s
在pod部署yaml中配置这个registry-pull-secret:
apiVersion: v1 kind: Pod metadata: name: foo namespace: awesomeapps spec: containers: - name: foo image: janedoe/awesomeapp:v1 imagePullSecrets: - name: registry-pull-secret