实际上,使用官方 Kubernetes Python 客户端很容易做到。您需要执行两个步骤:
- 创建类型的秘密
dockerconfigjson(可以通过命令行或使用 Python 客户端完成)- 您将您的凭据放在这里
- 使用以下命令将此秘密添加到您的部署/pod 定义中
imagePullSecrets这样 Kubernetes 客户端就可以从私有存储库中拉取镜像
创建类型的秘密dockerconfigjson:
Replace <something>与您的数据。
命令行:
kubectl create secret docker-registry private-registry \
--docker-server=<your-registry-server> --docker-username=<your-name> \
--docker-password=<your-pword> --docker-email=<your-email>
与 Kubernetes Python Client 中的等效(记住以安全方式传递变量password,例如检查this https://stackoverflow.com/questions/15209978/where-to-store-secret-keys-django):
import base64
import json
from kubernetes import client, config
config.load_kube_config()
v1 = client.CoreV1Api()
# Credentials
username = <your-name>
password = <your-pword>
mail = <your-email>
secret_name = "private-registry"
namespace = "default"
# Address of Docker repository - in case of Docker Hub just use https://index.docker.io/v1/
docker_server = <your-registry-server>
# Create auth token
auth_decoded = username + ":" + password
auth_decoded_bytes = auth_decoded.encode('ascii')
base64_auth_message_bytes = base64.b64encode(auth_decoded_bytes)
base64_auth_message = base64_auth_message_bytes.decode('ascii')
cred_payload = {
"auths": {
docker_server: {
"username": username,
"password": password,
"email": mail,
"auth": base64_auth_message
}
}
}
data = {
".dockerconfigjson": base64.b64encode(
json.dumps(cred_payload).encode()
).decode()
}
secret = client.V1Secret(
api_version="v1",
data=data,
kind="Secret",
metadata=dict(name=secret_name, namespace=namespace),
type="kubernetes.io/dockerconfigjson",
)
v1.create_namespaced_secret(namespace, body=secret)
使用以下命令将此秘密添加到您的部署/pod 定义中imagePullSecrets: option
现在,让我们开始使用新创建的秘密 - 取决于你想要如何部署 pod/部署,在 Python 代码中有两种方法:yaml文件或直接在代码中创建 pod/部署清单。我将展示这两种方法。和以前一样,替换<something>与您的数据。
Example yaml file:
apiVersion: v1
kind: Pod
metadata:
name: private-registry-pod
spec:
containers:
- name: private-registry-container
image: <your-private-image>
imagePullSecrets:
- name: private-registry
在最后一行我们指的是秘密docker-registry在上一步中创建。
让我们应用这个yaml使用 Kubernetes Python 客户端创建文件:
from os import path
import yaml
from kubernetes import client, config
config.load_kube_config()
v1 = client.CoreV1Api()
config_yaml = "pod.yaml"
with open(path.join(path.dirname(__file__), config_yaml)) as f:
dep = yaml.safe_load(f)
resp = v1.create_namespaced_pod(body=dep, namespace="default")
print("Deployment created. status='%s'" % str(resp.status))
全部用 Python 代码编写 - pod 定义和应用过程:
from kubernetes import client, config
import time
config.load_kube_config()
v1 = client.CoreV1Api()
pod_name = "private-registry-pod"
secret_name = "private-registry"
namespace = "default"
container_name = "private-registry-container"
image = <your-private-image>
# Create a pod
print("Creating pod...")
pod_manifest= {
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": pod_name
},
"spec": {
"containers": [
{
"name": container_name,
"image": image
}
],
"imagePullSecrets": [
{
"name": secret_name
}
]
}
}
resp = v1.create_namespaced_pod(body=pod_manifest, namespace=namespace)
# Wait for a pod
while True:
resp = v1.read_namespaced_pod(name=pod_name, namespace=namespace)
if resp.status.phase != 'Pending':
break
time.sleep(1)
print("Done.")
Sources:
- Github 线程 https://github.com/kubernetes-client/python/issues/501
- Stackoverflow 主题 https://stackoverflow.com/questions/56673919/kubernetes-python-api-client-execute-full-yaml-file
- 官方 Kubernetes Python 客户端示例 https://github.com/kubernetes-client/python/blob/master/examples/pod_exec.py
- 库伯内特斯文档 https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred
- 另一个 Kubernetes 文档 https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- Github 主题 https://github.com/kubeflow/kubeflow/issues/1748
