I am using k3s kubernetes, and Harbor as a private container registry. I use a self-sign cert in Harbor. And I have a sample image in Harbor, which I want to create a sample pod in Kubernetes using this private Harbor image.
I created a file call testPod.yml with the following content to create the pod:
apiVersion: v1 kind: Pod metadata: name: test spec: containers: - name: test image: harbor-server/t_project/test:001 imagePullSecrets: - name: testcred
However, there is an error after I applied this yml file, x509: certificate signed by unknow authority, which is shown below:
Name: test Namespace: default Priority: 0 Node: server/10.1.0.11 Start Time: Thu, 07 Jul 2022 15:20:32 +0800 Labels: <none> Annotations: <none> Status: Pending IP: 10.42.2.164 IPs: IP: 10.42.2.164 Containers: test: Container ID: Image: harbor-server/t_project/test:001 Image ID: Port: <none> Host Port: <none> State: Waiting Reason: ImagePullBackOff Ready: False Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-47cgb (ro) Conditions: Type Status Initialized True Ready False ContainersReady False PodScheduled True Volumes: kube-api-access-47cgb: Type: Projected (a volume that contains injected data from multiple sources) TokenExpirationSeconds: 3607 ConfigMapName: kube-root-ca.crt ConfigMapOptional: <nil> DownwardAPI: true QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s node.kubernetes.io/unreachable:NoExecute op=Exists for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 19s default-scheduler Successfully assigned default/test to server Normal BackOff 19s kubelet Back-off pulling image "harbor-server/t_project/test:001" Warning Failed 19s kubelet Error: ImagePullBackOff Normal Pulling 4s (x2 over 19s) kubelet Pulling image "harbor-server/t_project/test:001" Warning Failed 4s (x2 over 19s) kubelet Failed to pull image "harbor-server/t_project/test:001": rpc error: code = Unknown desc = failed to pull and unpack image "harbor-server/t_project/test:001": failed to resolve reference "harbor-server/t_project/test:001": failed to do request: Head "https://harbor-server:443/v2/t_project/test/manifests/001?ns=harbor-server": x509: certificate signed by unknown authority Warning Failed 4s (x2 over 19s) kubelet Error: ErrImagePull
How to solve this x509 error? Is there any step that I have missed?
The CA’s certificate needs to be trusted first.
Put the CA into the host system’s trusted CA’s chain. Run the following command.
sudo mkdir -p /usr/local/share/ca-certificates/myregistry sudo cp registry/myca.pem /usr/local/share/ca-certificates/myregistry/myca.crt sudo update-ca-certificates
Notice, the cert on the specific directory have to be named with
crt extension. restart the K3s service to let the change in effect.