Search code examples
kubernetesk3sharbor

Failed to pull image with "x509: certificate signed by unknown authority" error

I am using k3s kubernetes, and Harbor as a private container registry. I use a self-sign cert in Harbor. And I have a sample image in Harbor, which I want to create a sample pod in Kubernetes using this private Harbor image.

I created a file call testPod.yml with the following content to create the pod:

apiVersion: v1
kind: Pod
metadata:
  name: test
spec:
  containers:
    - name: test
      image: harbor-server/t_project/test:001
  imagePullSecrets:
    - name: testcred

However, there is an error after I applied this yml file, x509: certificate signed by unknow authority, which is shown below:

Name:         test
Namespace:    default
Priority:     0
Node:         server/10.1.0.11
Start Time:   Thu, 07 Jul 2022 15:20:32 +0800
Labels:       <none>
Annotations:  <none>
Status:       Pending
IP:           10.42.2.164
IPs:
  IP:  10.42.2.164
Containers:
  test:
    Container ID:   
    Image:          harbor-server/t_project/test:001
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-47cgb (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  kube-api-access-47cgb:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  19s               default-scheduler  Successfully assigned default/test to server
  Normal   BackOff    19s               kubelet            Back-off pulling image "harbor-server/t_project/test:001"
  Warning  Failed     19s               kubelet            Error: ImagePullBackOff
  Normal   Pulling    4s (x2 over 19s)  kubelet            Pulling image "harbor-server/t_project/test:001"
  Warning  Failed     4s (x2 over 19s)  kubelet            Failed to pull image "harbor-server/t_project/test:001": rpc error: code = Unknown desc = failed to pull and unpack image "harbor-server/t_project/test:001": failed to resolve reference "harbor-server/t_project/test:001": failed to do request: Head "https://harbor-server:443/v2/t_project/test/manifests/001?ns=harbor-server": x509: certificate signed by unknown authority
  Warning  Failed     4s (x2 over 19s)  kubelet            Error: ErrImagePull

How to solve this x509 error? Is there any step that I have missed?

Solution

  • The CA’s certificate needs to be trusted first.

    Put the CA into the host system’s trusted CA's chain. Run the following command.

    sudo mkdir -p /usr/local/share/ca-certificates/myregistry
sudo cp registry/myca.pem /usr/local/share/ca-certificates/myregistry/myca.crt
sudo update-ca-certificates

    Notice, the cert on the specific directory have to be named with crt extension. restart the K3s service to let the change in effect.