# Kubeadm K8s containerd 設定連接 Harbor Bypass TLS ## containerd 資訊 * containerd 版本 : `2.1.1` * containerd toml 設定檔 : `version = 3` ## 以下每一台節點都需設定 * 建立目錄，`harbor.example.com` 是 harbor 的 domain，此目錄可以任意取名 * 在 `hosts.toml` 設定 `skip_verify = true` 跳過 tls 驗證 ``` $ sudo mkdir -p /etc/containerd/certs.d/harbor.example.com $ sudo nano /etc/containerd/certs.d/harbor.example.com/hosts.toml server = "https://harbor.example.com" [host."https://harbor.example.com"] capabilities = ["pull", "resolve", "push"] skip_verify = true ``` 編輯 containerd `config.toml` 設定檔 ``` $ sudo nano /etc/containerd/config.toml ...... [plugins.'io.containerd.cri.v1.images'.registry] config_path = '/etc/containerd/certs.d' ```  * 重啟 containerd 服務 ``` $ sudo systemctl daemon-reload $ sudo systemctl restart containerd.service ``` ## k8s 測試 * 建立一個 `DaemonSet` 確認每個節點都可以向 harbor 拉 image ``` $ echo 'apiVersion: apps/v1 kind: DaemonSet metadata: name: test spec: selector: matchLabels: app: test template: metadata: labels: app: test spec: containers: - name: alpine image: harbor.example.com/mytest/nginx:latest imagePullPolicy: Always tty: true' | kubectl apply -f - ``` ``` $ kubectl get po -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES test-26nsg 1/1 Running 0 5s 10.244.202.29 m1 <none> <none> test-gzbhz 1/1 Running 0 5s 10.244.80.194 w2 <none> <none> test-x4f48 1/1 Running 0 5s 10.244.245.144 w4 <none> <none> test-xvdpg 1/1 Running 0 5s 10.244.190.103 w1 <none> <none> test-zbbwx 1/1 Running 0 5s 10.244.193.228 w3 <none> <none> ``` ## 參考 https://github.com/containerd/containerd/blob/main/docs/hosts.md#bypass-tls-verification-example