kubernetes unable to pull image docker private registry

3/28/2021

I tried to deploy 'deployments' in kubernetes which is pull docker image from private registry (I don't know who did this setup) but during "docker pull images" through kubernetes i'm getting following error

node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  85s                default-scheduler  Successfully assigned default/trusted-enc-assettag1-deployment-8467b74958-6fbp7 to k8s-node
  Normal   BackOff    24s (x2 over 61s)  kubelet, k8s-node  Back-off pulling image "10.105.168.81:5000/simplehttpserverenc:enc_v1"
  Warning  Failed     24s (x2 over 61s)  kubelet, k8s-node  Error: ImagePullBackOff
  Normal   Pulling    12s (x3 over 82s)  kubelet, k8s-node  Pulling image "10.105.168.81:5000/simplehttpserverenc:enc_v1"
  Warning  Failed     0s (x3 over 62s)   kubelet, k8s-node  Failed to pull image "10.105.168.81:5000/simplehttpserverenc:enc_v1": rpc error: code = Unknown desc = Error response from daemon: Get https://10.105.168.81:5000/v2/: net/http: TLS handshake timeout
  Warning  Failed     0s (x3 over 62s)   kubelet, k8s-node  Error: ErrImagePull
[root@k8s-master ~]# docker pull 10.105.168.81:5000/simplehttpserverenc:enc_v1

ImagePullBackOff and net/http: TLS handshake timeout error.

Initially this "net/http: TLS handshake timeout" error is observed in docker pull as well. I referred some answers and

configured certificate(/etc/docker/certs.d/<registryIP>/ca.crt ) and proxy (/etc/systemd/system/docker.service.d/proxy.conf)

after that able to perform docker pull from private image.

[root@k8s-master ~]# docker pull 10.105.168.81:5000/simplehttpserverenc:enc_v1
enc_v1: Pulling from simplehttpserverenc
54fec2fa59d0: Pull complete
cd3f35d84cab: Pull complete
a0afc8e92ef0: Pull complete
9691f23efdb7: Pull complete
6512e60b314b: Pull complete
a8ac6632d329: Pull complete
68f4c4e0aa8c: Pull complete
Digest: sha256:0358708cd11e96f6cf6f22b29d46a8eec50d7107597b866e1616a73a198fe797
Status: Downloaded newer image for 10.105.168.81:5000/simplehttpserverenc:enc_v1
10.105.168.81:5000/simplehttpserverenc:enc_v1
[root@k8s-master ~]#

But still unable to perform this docker pull through kubernetes. How to solve this ?

-- imaheshwaran s
docker
kubernetes
ssl

2 Answers

3/28/2021

If you use docker as container engine in your k8s, AFAIK it's the same with Understand the configuration. Because the image pulling is conducted by the container engine and it depends the proprietary configuration of each one on the certificates. How about pulling the same image on the worker node in your k8s ? Is it possible to pull the one without errors ?

-- Daein Park
Source: StackOverflow

3/28/2021

As your dockerconfigjson is not working properly. Try this method :

kubectl create secret docker-registry regcred --docker-server=10.105.168.81:5000 --docker-username=<your-name> --docker-password=<your-pword>

And in Kubernetes manifest :

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: 10.105.168.81:5000/simplehttpserverenc:enc_v1
  imagePullSecrets:
  - name: regcred

I had encounted this many times, when I forgot to configure these secrets. Also if you have any othernamespace, you will have to generate secrets for each of these namespaces separately passing -n <your-ns> to above kubectl create secret

Edit : As you can not pull the image from worker node.

  1. Make sure you copied docker-registry ca.crt to /etc/docker/certs.d/ca.crt

and then try docker pull.

-- Sachith Muhandiram
Source: StackOverflow