kubernetes之基于ServiceAccount拉取私

　　前面可以通过ImagPullPolicy和ImageullSecrets指定下载镜像的策略，ServiceAccount也可以基于spec。imagePullSecret字段附带一个由下载镜像专用的Secret资源组成的列表，用于在容器创建时，从某个私有镜像仓库下载镜像文件之前的服务认证。1。创建Secrets资源
　　这里根据自己的实际去定义即可；一定要是对方的地址和认证信息；否则无法pullpushrootksmaster0110：kubectlcreatesecretdockerregistryaliyunhaitangregistrydockerserverregistry。cnhangzhou。aliyuncs。comdockerusernamexxxxxxxdockerpasswordxxxxxxsecretaliyunhaitangregistrycreated1。1查看Secretsrootksmaster0110：kubectldescribesecretaliyunhaitangName：aliyunhaitangNamespace：defaultLabels：noneAnnotations：noneType：kubernetes。iodockerconfigjsonData。dockerconfigjson：140bytes2。创建ServiceAccount2。1不设置任何策略，测试是否能拉取私有仓库镜像
　　此处不配置任何镜像拉取策略，测试是否能拉取私有仓库镜像；rootksmaster0110：catpodserviceaccountsecret。yamlapiVersion：v1kind：Podmetadata：name：streeserviceaccountspec：containers：name：streeimage：registry。cnhangzhou。aliyuncs。comlengyuyestress：latest2。2查看Pod，处于ErrImagerootksmaster0110：kubectlgetpodsNAMEREADYSTATUSRESTARTSAGEstreeserviceaccount01ErrImagePull08s2。3describe查看Events
　　可以看到事件，是Docker认证的问题；rootksmaster0110：kubectldescribepodsstreeserviceaccountEvents：TypeReasonAgeFromMessageNormalScheduled20sdefaultschedulerSuccessfullyassigneddefaultstreeserviceaccounttoksnode0212NormalBackOff17skubeletBackoffpullingimageregistry。cnhangzhou。aliyuncs。comlengyuyestress：latestWarningFailed17skubeletError：ImagePullBackOffNormalPulling2s（x2over19s）kubeletPullingimageregistry。cnhangzhou。aliyuncs。comlengyuyestress：latestWarningFailed2s（x2over18s）kubeletFailedtopullimageregistry。cnhangzhou。aliyuncs。comlengyuyestress：latest：rpcerror：codeUnknowndescErrorresponsefromdaemon：pullaccessdeniedforregistry。cnhangzhou。aliyuncs。comlengyuyestress，repositorydoesnotexistormayrequiredockerlogin：denied：requestedaccesstotheresourceisdeniedWarningFailed2s（x2over18s）kubeletError：ErrImagePull2。4创建ServiceAccount
　　aliyunhaitang是dockerregistry类型的Secrets对象，由用户提前手动创建，它可以通过键值数据提供docker仓库服务器的地址，接入服务器的用户名，密码及用户的电子邮件信息等，认证通过后，引用ServiceAccount的Pod资源即可从指定的镜像仓库下载image。rootksmaster0110：catserviceaccountimagepullsecret。yamlapiVersion：v1kind：ServiceAccountmetadata：name：imagepullaliyunsaimagePullSecrets：name：aliyunhaitangrootksmaster0110：kubectlapplyfserviceaccountimagepullsecret。yamlserviceaccountimagepullaliyunsacreated2。5查看SArootksmaster0110：kubectlgetsaimagepullaliyunsaoyamlapiVersion：v1imagePullSecrets：name：aliyunhaitangkind：ServiceAccountmetadata：annotations：kubectl。kubernetes。iolastappliedconfiguration：｛apiVersion：v1，imagePullSecrets：〔｛name：aliyunhaitang｝〕，kind：ServiceAccount，metadata：｛annotations：｛｝，name：imagepullaliyunsa，namespace：default｝｝creationTimestamp：20220907T02：31：05Zname：imagepullaliyunsanamespace：defaultresourceVersion：226300uid：fabc93b1572c4703a2dd465d4e0915cbsecrets：name：imagepullaliyunsatokenvf67z2。6Pod引用ServiceAccountrootksmaster0110：catpodserviceaccountsecret。yamlapiVersion：v1kind：Podmetadata：name：streeserviceaccountspec：serviceAccount：imagepullaliyunsa这里则是创建的sa的名称containers：name：streeimage：registry。cnhangzhou。aliyuncs。comlengyuyestress：latestrootksmaster0110：rbackubectlapplyfpodserviceaccountsecret。yamlpodstreeserviceaccountcreated3。创建Pod测试；3。1查看Podrootksmaster0110：kubectlgetpodsNAMEREADYSTATUSRESTARTSAGEstreeserviceaccount11Running08s3。2describe查看事件rootksmaster0110：kubectldescribepodsstreeserviceaccountEvents：TypeReasonAgeFromMessageNormalScheduled3m36sdefaultschedulerSuccessfullyassigneddefaultstreeserviceaccounttoksnode0212NormalPulling3m35skubeletPullingimageregistry。cnhangzhou。aliyuncs。comlengyuyestress：latestNormalPulled3m33skubeletSuccessfullypulledimageregistry。cnhangzhou。aliyuncs。comlengyuyestress：latestin1。729555429sNormalCreated3m33skubeletCreatedcontainerstreeNormalStarted3m33skubeletStartedcontainerstree3。3查看详细信息rootksmaster0110：kubectlgetpodsstreeserviceaccountoyamlimagePullSecrets：name：aliyunhaitangnodeName：ksnode0212preemptionPolicy：PreemptLowerPrioritypriority：0restartPolicy：AlwaysschedulerName：defaultschedulersecurityContext：｛｝serviceAccount：imagepullaliyunsaserviceAccountName：imagepullaliyunsa