K
Q

minikube - x509: certificate signed by unknown authority

10/26/2020

I am using minikube and kubectl to create an RC for mongo. And I am using the company's VPN.

Created the RC via kubectl create -f ./rc/mongo-rc.yaml command.

Got below kubernetes events when using kubectl describe pod mongo-5zttk command:

...
Events:
  Type     Reason     Age                    From               Message
  ----     ------     ----                   ----               -------
  Normal   Scheduled  7m18s                  default-scheduler  Successfully assigned default/mongo-5zttk to minikube
  Normal   Pulling    5m42s (x4 over 7m17s)  kubelet, minikube  Pulling image "mongo"
  Warning  Failed     5m40s (x4 over 7m15s)  kubelet, minikube  Failed to pull image "mongo": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/library/mongo/manifests/latest: Get https://auth.docker.io/token?scope=repository%3Alibrary%2Fmongo%3Apull&service=registry.docker.io: x509: certificate signed by unknown authority
  Warning  Failed     5m40s (x4 over 7m15s)  kubelet, minikube  Error: ErrImagePull
  Normal   BackOff    5m29s (x6 over 7m15s)  kubelet, minikube  Back-off pulling image "mongo"
  Warning  Failed     2m8s (x21 over 7m15s)  kubelet, minikube  Error: ImagePullBackOff

When I try to use curl to access the URL:

⚡  curl https://registry-1.docker.io/v2/library/mongo/manifests/latest
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/mongo","Action":"pull"}]}]}

I can pull the mongo:latest image from the docker hub registry successfully.

⚡  docker pull mongo:latest
latest: Pulling from library/mongo
Digest: sha256:efc408845bc917d0b7fd97a8590e9c8d3c314f58cee651bd3030c9cf2ce9032d
Status: Image is up to date for mongo:latest
docker.io/library/mongo:latest

Environment information:

  • minikube version: v1.14.1
  • kubectl
    • Client Version: v1.18.8
    • Server Version: v1.19.2
  • OS: macOS 10.13.6

I have read the doc: vpn_and_proxy/#x509-certificate-signed-by-unknown-authority. The solution is to ask the IT department for the appropriate PEM file. Is there any solution if I can't get the PEM file? Such as use some command flag: --skip-verify-cert?

UPDATE:

mongo-rc.yaml:

apiVersion: v1
kind: ReplicationController
metadata: 
  name: mongo
spec: 
  replicas: 1
  selector: 
    app: mongo
  template: 
    metadata: 
      labels:
        app: mongo
    spec: 
      containers: 
      - name: mongo
        image: mongo
        ports: 
        - containerPort: 27017
        env: 
        - name: MONGO_ROOT_PASSWORD
          value: "123456"
-- slideshowp2
docker
kubectl
kubernetes
minikube
ssl

Similar Questions

Override config map file in helm
Python gcloud clusters get-credentials returns permission error
ServiceMonitor not found in monitoring.coreos.com/v1
Kubernetes: Failed to pull image from private container registry
How to install rabbitmq plugin on kubernetes?

1 Answer

10/26/2020

You should be able to use the --insecure-registry flag, but you might have to recreate your minikube cluster for it to work.

minikube start --insecure-registry="registry-1.docker.io"
-- jokarls
Source: StackOverflow