kubernetes集群使用容器镜像仓库Harbor

1、容器镜像仓库Harbor部署

• 在docker主机部署Harbor，安装过程比较简单

• 在k8s集群中部署Harbor

2、使用Harbor仓库

2.1 通过secret使用Harbor仓库

新建私有仓库

集权所有节点配置harbor仓库

# cat /etc/docker/daemon.json 
{
    "exec-opts": ["native.cgroupdriver=systemd"],
    "insecure-registries": ["http://192.168.16.132"]
}
# systemctl restart docker

harbor服务器上传镜像到仓库上

# docker pull nginx:1.15-alpine
docker.io/library/nginx:1.15-alpine
# docker login 192.168.16.132
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
# docker tag nginx:1.15-alpine 192.168.16.132/test/nginx:v1
# docker push 192.168.16.132/test/nginx:v1

创建secret-registry类型的secret

# kubectl create secret docker-registry harbor-secret --docker-server=192.168.16.132 --docker-username=admin --docker-password=12345

创建Pod并使用secret

# cat pod-harbor.yml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-harbor
spec:
  containers:
  - name: c1
    image: 192.168.16.132/test/nginx:v1
  imagePullSecrets:
  - name: harbor-secret

2.2 通过serviceaccount使用Harbor仓库

创建serviceaccount

# cat serviceaccount-harbor-sa.yml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: harbor-sa

修改serviceaccoun添加使用harbor-secret

# kubectl patch serviceaccount harbor-sa -n default -p '{"imagePullSecrets": [{"name": "harbor-secret"}]}'

# kubectl describe sa harbor-sa
Name:                harbor-sa
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  harbor-secret
Mountable secrets:   harbor-sa-token-gshff
Tokens:              harbor-sa-token-gshff
Events:              <none>

创建Pod使用serviceaccount

# cat pod-harbor.yml 
apiVersion: v1
kind: Pod
metadata:
  name: pod-harbor
spec:
  serviceAccount: harbor-sa
  containers:
  - name: c1
    image: 192.168.16.132/test/nginx:v1