If you want to use the TCR service in an serverless cluster, ensure that you have selected the corresponding image access credential and ensure the network connectivity between the serverless cluster and TCR.
A container image is private by default. Therefore, you need to select the image access credential for the TCR instance when creating a workload.
You can follow the steps below to create the image access credential:
The network between the serverless cluster and TCR is not connected by default, so an error indicating network disconnectivity will be reported when you pull the image:
dial tcp x.x.x.x:443: i/o timeout
There are 2 solutions:
Solution | Note |
---|---|
Solution 1: private network access (recommended) | Create a private network access linkage on the TCR console and configure private-network domain name resolution. In this way, the serverless cluster can access TCR via the newly created private network access linkage. |
Solution 2: public network access | Enable public network access for the serverless cluster so that it can access TCR via the public network. You also need to make TCR accessible via the public network. |
Note:After creating an access linkage, please wait until the backend generates a private IP. After that, the following button can be enabled.
An error containing “443: i/o timeout” is usually caused by the network disconnectivity between TKE Serverless and TCR.
Please select an access method mentioned in [Ensuring the network connectivity between the serverless cluster and TCR] to realize the network connectivity between TKE Serverless and TCR.
NoteThe domain name “<tcr-name>.tencentcloudcr.com” is resolved into a public IP by default. Please figure out the IP address in “dial tcp xxx” indicates a public or private network when the error is reported and solve the problem according to the actual situation.
An error containing insufficient_scope: authorization failed” indicates that the network between TKE Serverless and TCR is interconnected yet you do not have certain permissions. The cause may be that the namespace does not exist, the key is incorrect, or the key is not suitable for the image being pulled, etc.
An error containing “not found” indicates that the image does not exist.
For more information on other common errors, see TCR-related FAQs.
When you use the image of an external image repository to create a workload in the serverless cluster, you may encounter the error “ErrImagePull” and fail to pull the image, as shown in the figure below:
Generally speaking, if network connectivity is ensured, the problem may result from the following two causes:
You can solve the aforementioned 2 problems by adding annotations to the PodTemplate in workload Yaml configurations.
If the external image repository is an HTTPS-based self-signed image repository, you need to add the following annotation to PodTemplate to make it skip certificate verification.
eks.tke.cloud.tencent.com/registry-insecure-skip-verify: image repository address (for multiple addresses, separate them with “,”, or enter “all”)
Refer to the figure below:
Note:If the images of multiple containers in a Pod are pulled from different repositories, you can enter multiple image repository addresses and separate them with “,”. You can also enter “all”, indicating that all the container image repositories skip certificate verification.
Note:By default, an serverless cluster uses the HTTPS protocol to pull images when running, which means if the image repository supports HTTP, it also needs annotations.
With the command $kubectl describe pod $podname
, if “http: server gave HTTP response to HTTPS client” is exported to report an error, it means the image repository that is accessed uses HTTP, as shown in the figure below:
To solve this problem, you need to add the following annotation to PodTemplate to make it access the image repository through HTTP.
eks.tke.cloud.tencent.com/registry-http-endpoint: image repository address (for multiple addresses, separate them with “,”, or enter “all”)
Refer to the figure below:
Note:If the images of multiple containers in a Pod are pulled from different repositories, you can enter multiple image repository addresses and separate them with “,”. You can also enter “all”, indicating that all the container images are pulled through HTTP.
Both annotations above involve the entering of image repository addresses, and you can separate multiple repository addresses with “,”.
Note:If the image repository has a port number, include the port number in the image repository address.
For example, if the image address is 10.16.100.174:5000/busybox:latest
, specify the value of the annotation as 10.16.100.174:5000
, which means the image repository address will be eks.tke.cloud.tencent.com/registry-insecure-skip-verify: 10.16.100.174:5000
.
Was this page helpful?