Kind: Failed to pull image. certificate signed by unknown authority. Proxy
Hello there.
I'm behind a proxy that wrap the docker.io certificate by a compagny certificate. This result in pull error.
here the pod log when trying to deploy the kubernetes dashboard:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 11m default-scheduler Successfully assigned kubernetes-dashboard/kubernetes-dashboard-6bb65fcc49-hfgx8 to kind-control-plane
Normal Pulling 9m42s (x4 over 11m) kubelet, kind-control-plane Pulling image "kubernetesui/dashboard:v2.0.0-beta4"
Warning Failed 9m42s (x4 over 11m) kubelet, kind-control-plane Failed to pull image "kubernetesui/dashboard:v2.0.0-beta4": rpc error: code = Unknown desc = failed to resolve image "docker.io/kubernetesui/dashboard:v2.0.0-beta4": no available registry endpoint: failed to fetch anonymous token: Get https://auth.docker.io/token?scope=repository%3Akubernetesui%2Fdashboard%3Apull&service=registry.docker.io: x509: certificate signed by unknown authority
Warning Failed 9m42s (x4 over 11m) kubelet, kind-control-plane Error: ErrImagePull
Warning Failed 6m (x22 over 11m) kubelet, kind-control-plane Error: ImagePullBackOff
Normal BackOff 55s (x44 over 11m) kubelet, kind-control-plane Back-off pulling image "kubernetesui/dashboard:v2.0.0-beta4"
So my question is: how can I inject CA cert of my company into the cluster?
Thanks a lot !
Sispheor
All 12 comments
Hi! See discussion in: https://github.com/kubernetes-sigs/kind/issues/941
I don't have such an environment but one user reported success there.
BenTheElder
on 24 Oct 2019
Thanks !
Sispheor
on 24 Oct 2019
I don't really see the answer in the issue you pointed.
Is there a way to mount a volume into the node container? So I could add my corporate proxy.
Sispheor
on 24 Oct 2019
https://github.com/kubernetes-sigs/kind/issues/941#issuecomment-541279662
you can mount volumes with extraMounts in the config.
kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha3
nodes:
- role: control-plane
extraMounts:
- hostPath: /some/path
containerPath: /some/path
Oh ok. I'll give a try to this config then. Thanks.
I haven't seen this part in the doc.
Sispheor
on 24 Oct 2019
it's not in the quick start yet, it's an early power user feature. you can
find all of the fields at the same URL as the apiVersion currently
there's an WIP PR to document them more.
On Thu, Oct 24, 2019 at 9:00 AM Nicolas Marcq notifications@github.com
wrote:
Oh ok. I'll give a try to this config then. Thanks.
I haven't seen this part in the doc
https://kind.sigs.k8s.io/docs/user/quick-start/#configuring-your-kind-cluster
.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes-sigs/kind/issues/1010?email_source=notifications&email_token=AAHADK7WK2EPD4ASXG22VMDQQHBAPA5CNFSM4JEVSUCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECFRO6A#issuecomment-545986424,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAHADK4ITSAYTC4JVOASXTTQQHBAPANCNFSM4JEVSUCA
.
BenTheElder
on 24 Oct 2019
It works ! Thanks.
The config I used:
kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha3
nodes:
- role: control-plane
extraMounts:
- hostPath: /home/nico/Desktop/corporate.crt
containerPath: /usr/share/ca-certificates/corporate.crt
Then started the cluster
kind create cluster --config kind-config.yml
Then connect into the container
docker exec -it kind-control-plane /bin/bash
Then update certs
root@kind-control-plane:/# update-ca-certificates
BTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.
Thanks for you support and your work on this project !
Sispheor
on 25 Oct 2019
In my case,
containerPath: /usr/local/share/ca-certificates/corporate.crt
is correct.
Hokwang
on 20 Dec 2019
It works ! Thanks.
The config I used:
kind: Cluster apiVersion: kind.sigs.k8s.io/v1alpha3 nodes: - role: control-plane extraMounts: - hostPath: /home/nico/Desktop/corporate.crt containerPath: /usr/share/ca-certificates/corporate.crtThen started the cluster
kind create cluster --config kind-config.ymlThen connect into the container
docker exec -it kind-control-plane /bin/bashThen update certs
root@kind-control-plane:/# update-ca-certificatesBTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.
Thanks for you support and your work on this project !
This works for me. Additional step I had to add is to restart the kind-control-plane container, i.e. docker stop and then docker start.
stevenpeh
on 19 Feb 2020
i would probably restart containerd instead of the entire node, docker
exec kind-control-plane systemctl restart containerd or something like
that.
On Tue, Feb 18, 2020 at 4:29 PM stevenpeh notifications@github.com wrote:
It works ! Thanks.
The config I used:
kind: ClusterapiVersion: kind.sigs.k8s.io/v1alpha3nodes:
- role: control-plane
extraMounts:
- hostPath: /home/nico/Desktop/corporate.crt
containerPath: /usr/share/ca-certificates/corporate.crt
Then started the cluster
kind create cluster --config kind-config.yml
Then connect into the container
docker exec -it kind-control-plane /bin/bash
Then update certs
root@kind-control-plane:/# update-ca-certificates
BTW, it would be nice to have the possibility of executing command at the
end the deployment by placing them in the config file.Thanks for you support and your work on this project !
This works for me. Additional step I had to add is to restart the
kind-control-plane container, i.e. docker stop and then docker start.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes-sigs/kind/issues/1010?email_source=notifications&email_token=AAHADK47HVS7BU2XHITAHYTRDR4NLA5CNFSM4JEVSUCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMF4GOA#issuecomment-587973432,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAHADK5CMJIVQBWL77GKOYLRDR4NLANCNFSM4JEVSUCA
.
BenTheElder
on 19 Feb 2020
I created a small script to send cert files and restart containerd in all kind nodes.
./kind-load-cafile [-n name] certfile...
In actuality, I want kind to officially support loading cert files, like kind load certfile.
superbrothers
on 11 Mar 2020
It works ! Thanks.
The config I used:kind: Cluster apiVersion: kind.sigs.k8s.io/v1alpha3 nodes: - role: control-plane extraMounts: - hostPath: /home/nico/Desktop/corporate.crt containerPath: /usr/share/ca-certificates/corporate.crtThen started the cluster
kind create cluster --config kind-config.ymlThen connect into the container
docker exec -it kind-control-plane /bin/bashThen update certs
root@kind-control-plane:/# update-ca-certificatesBTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.
Thanks for you support and your work on this project !This works for me. Additional step I had to add is to restart the kind-control-plane container, i.e. docker stop and then docker start.
Thanks, that was the final step I needed for mine to work
jamesdube
on 27 May 2020
Related issues
vielmetti
·
59Comments
nicks
·
31Comments
senthilrch
·
53Comments
2opremio
·
45Comments
nicks
·
35Comments
Most helpful comment
It works ! Thanks.
The config I used:
Then started the cluster
Then connect into the container
Then update certs
BTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.
Thanks for you support and your work on this project !