Configuring insecure registry for k8s

microk8s

#1

Hi, spent a lot of time trying to make it work with no luck, so I’m trying here. I’m trying to have a copy of our production environment using microk8s for testing purposes. The issue is that our Artifactory server certificate is auto generated, so the error “x509: certificate signed by unknown authority” is arosen.

Anyway on microk8s.docker I have had it working, adding the insecure registry to /etc/docker/daemon.json and then configuring microk8s.docker service executing:
echo ‘–config-file=/etc/docker/daemon.json’ | sudo tee -a /var/snap/microk8s/current/args/dockerd
sudo systemctl restart snap.microk8s.daemon-docker.service
Then if I pull using microk8s.docker against my Artifactory it works.

Problem is, it doesn’t work for a k8s deployment using microk8s.kubectl. The same image, when set on spec -> containers -> image fails to pull, saying on syslog:
Jan 28 13:53:52 sdvs-dev microk8s.daemon-docker[887]: time=“2019-01-28T13:53:52.310454404Z” level=error msg=“Handler for POST /v1.38/images/create returned error: Get https://k8s.gcr.io/v2/: x509: certificate signed by unknown authority”

How can I configure the docker subsystem of microk8s.kubectl to work with a self-signed images artifactory?

Thanks!


#2

Hi @amleivar,

Instead of editing /etc/docker/daemon.json and having microk8s’ dockerd pointing to it you should be using /var/snap/microk8s/current/args/docker-daemon.json. I assume you do not have something like "insecure-registries" : ["https://k8s.gcr.io/v2"] in you daemon.json, right?

The issue you are facing seems be related to Kubernetes configuration, it does not look like MicroK8s specific. Here are some things you may want to try:

If you could give me some more info I might be able to offer more assistance.

Thanks


#3

Hi, thanks for the response. It must be something related to the company firewall, as I have seen the same error while trying to enable dashboard, it won’t pull any image. I have a proxy set on /etc/environment, as well on apt.conf.d, don’t know if it has something to do with it


#4

Have you set the proxy settings on MicroK8s: https://github.com/ubuntu/microk8s#deploy-behind-a-proxy


#5

You were right! I had to properly set PROXY_HTTP, PROXY_HTTPS and NO_PROXY for the insecure registry to work. In fact the registry is written on the NO_PROXY variable. Apart from that the insecured registry is also configured on /etc/docker/daemon.json and added to microk8s.docker with echo ‘–config-file=/etc/docker/daemon.json’ | sudo tee -a /var/snap/microk8s/current/args/dockerd.

Thanks mate!