k8s使用containerd作为容器运行时配置Harbor私有仓库与阿里云私有仓库以及镜像加速器，k8s基于containerd如何配置harbor私有仓库

至于containerd大家还需要在去学习以下使用的命令。

版本介绍

• k8s：v1.28.2
• containerd：1.6.33

1.配置containerd镜像加速器

[root@master ~]# vim /etc/containerd/config.toml  ---编辑containerd配置文件找到以下位置新添加
[plugins."io.containerd.grpc.v1.cri".image_decryption]
      key_model = "node"

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors] #下面两行为新添加

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
           endpoint = ["加速器1" ,"加速器2" ,"加速器3"]
           
[root@master ~]#  systemctl restart containerd
[root@master ~]# crictl  pull centos:6  #测试
Image is up to date for sha256:5bf9684f472089d6d5cb636041d3d6dc748dbde39f1aefc374bbd367bd2aabbf

测试从官方下载镜像创建pod

[root@master ~]# cat test-nginx-pod.yml 
apiVersion: v1
kind: Pod
metadata:
 name: test-app
spec:
 containers:
  - name: nginx
    image: nginx
    imagePullPolicy: IfNotPresent
    ports:
     - containerPort: 80
     
[root@master ~]# kubectl get pod -o wide 
NAME       READY   STATUS    RESTARTS         AGE     IP             NODE     NOMINATED NODE   READINESS GATES
test-app   1/1     Running   0                3m19s   10.244.1.100   node-2   <none>           <none>

2.配置Harbor私有仓库,k8s所有节点都操作

192.168.209.182为我harbor仓库的地址，访问方式为http

[root@master ~]# vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.configs]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.209.182".auth] #新添加指定harbor仓库的地址与用户名和密码
            username = "admin"
            password = "Harbor12345"
      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]  #这里是配置的镜像加速器，为新添加两行配置
           endpoint = ["https://br003st4.mirror.aliyuncs.com" ,"https://registry-1.docker.io" ,"https://08c765900e00f5d20f0dc0005a40c3a0.mirror.swr.myhuaweicloud.com"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.209.182"] #新添加配置，忽略https的访问方式
           endpoint = ["http://192.168.209.182"]

[root@master ~]#  systemctl restart containerd
[root@master ~]# crictl pull 192.168.209.182/nginx/mynginx:v1.0  #下载镜像

2.1.k8s使用Harbor仓库的镜像创建pod

你还可以使用 kubectl 创建一个 Secret 来访问容器仓库时， 当你没有 Docker 配置文件时你可以这样做：

1.先定义需要访问harbor的secret，将Harbor仓库的地址和用户还有密码进行保存
[root@master ~]# kubectl create secret docker-registry harbor-secret --docker-username=用户名 --docker-password=harbor密码 --docker-server=harbor仓库的ip
secret/harbor-secret created
[root@master ~]# kubectl get secret 
NAME            TYPE                             DATA   AGE
harbor-secret   kubernetes.io/dockerconfigjson   1      30s
2.创建pod
[root@master ~]# cat test-nginx-pod.yml 
apiVersion: v1
kind: Pod
metadata:
 name: test-app
spec:
 containers:
  - name: nginx
    image: 192.168.209.182/nginx/mynginx:v1.0
    imagePullPolicy: IfNotPresent
    ports:
     - containerPort: 80
 imagePullSecrets:
  - name: harbor-secret
  
[root@master ~]# kubectl get pod 
NAME       READY   STATUS    RESTARTS        AGE
test-app   1/1     Running   0               3m37s

3.配置使用阿里云私有仓库

[root@master ~]# vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs] #下面的为新添加，添加自己的阿里云私有仓库
       [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.cn-hangzhou.aliyuncs.com".auth]
         username = "阿里用户"
         password = "密码"

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

       [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://br003st4.mirror.aliyuncs.com" ,"https://registry-1.docker.io" ,"https://08c765900e00f5d20f0dc0005a40c3a0.mirror.swr.myhuaweicloud.com"]

    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]

[root@master ~]#  systemctl restart containerd
[root@master ~]# crictl  pull registry.cn-hangzhou.aliyuncs.com/testpm-k8s/nginx #下载测试

3.1.k8s使用阿里云仓库的镜像创建pod，k8s所有节点均配置

你还可以使用 kubectl 创建一个 Secret 来访问容器仓库时， 当你没有 Docker 配置文件时你可以这样做：

1.先定义需要访问harbor的secret，将Harbor仓库的地址和用户还有密码进行保存
[root@master ~]# kubectl create secret docker-registry ali-secret --docker-username=用户名 --docker-password=harbor密码 --docker-server=registry.cn-hangzhou.aliyuncs.com  #阿里私有仓库的地址
secret/harbor-secret created
[root@master ~]# kubectl get secret 
NAME            TYPE                             DATA   AGE
ali-secret      kubernetes.io/dockerconfigjson   1      17s
2.创建pod
[root@master ~]# kubectl delete -f test-nginx-pod.yml 
pod "test-app" deleted
[root@master ~]# vim test-nginx-pod.yml  
apiVersion: v1
kind: Pod
metadata:
 name: test-app
spec:
 containers:
  - name: nginx
    image: registry.cn-hangzhou.aliyuncs.com/testpm-k8s/nginx:1.14
    imagePullPolicy: IfNotPresent
    ports:
     - containerPort: 80
 imagePullSecrets:
  - name: ali-secret
[root@master ~]# kubectl apply -f test-nginx-pod.yml 
pod/test-app created
[root@master ~]# kubectl get pod -o wide
NAME       READY   STATUS    RESTARTS         AGE   IP             NODE     NOMINATED NODE   READINESS GATES
test-app   1/1     Running   0                47s   10.244.1.104   node-2   <none>           <none>