I am finding all sorts of walkthroughs on how to add certificates to be used in the pods themselves, but I can't seem to find info on how to setup Kubernetes to allow a self-signed cert for pulling images from a Harbor instance running inside the cluster. I have the ca cert imported to the system's trusted certs (system is running Ubuntu 18.04), but I am guessing Kubernetes uses it's own trusted certs store somewhere, similar to how Java ignores the system's trusted certs and relies on keystore files?
Edit To be more specific, what I am trying to do is deploy a custom Docker image stored in my Harbor instance that is running in my Kubernetes cluster. I have the certs for Harbor imported into my host systems OS, and I can run:
docker login <url_to_harbor> docker pull <url_to_harbor>/library/custom/image:latest and it works fine from CLI, but if I try to create a deployment yaml like so:
apiVersion: apps/v1 kind: Deployment metadata: name: custom-deployment spec: replicas: 1 selector: matchLabels: app: custom template: metadata: labels: app: custom spec: containers: - name: custom image: <url_to_harbor>/library/custom/image:latest ... and run kubectl apply -f custom-deploy.yaml I get the following error when I get pods:
custom-deployment-6ff68947f6-8jj2p 0/1 ImagePullBackOff 0 13s And if I get a description on the failed pod I see:
Warning Failed 18s kubelet, node3 Failed to pull image "<url_to_harbor>/library/custom/image:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://<url_to_harbor>/v2/: x509: certificate signed by unknown authority Warning Failed 18s kubelet, node3 Error: ErrImagePull I have restarted the host machine since I imported the CA certs. I added the certs by moving the root CA cert file into /usr/local/share/ca-certificates and then running sudo update-ca-certificates.
docker pull <your image>directly inside one of your kubernetes nodes?