Getting "x509: certificate signed by unknown authority" in GKE on pulling image (a private registry) when a pod is created

docker ssl-certificate google-cloud-platform kubernetes google-kubernetes-engine
5,385

I found a solution. The problem is actual for Kubernetes version 1.19+ and COS/Ubuntu images based on containerd for GKE nodes. Before the 1.19 version Kubernetes used to use Docker for building images, but now it uses containerd. More details could be found in the official Google Cloud documentation.

You need to create and put an CA certificate to each GKE node. Here you can find an answer how to do it correctly https://stackoverflow.com/a/67724696/3319341.

But for containerd solution you should replace command

nsenter --target 1 --mount systemctl restart docker

by

nsenter --target 1 --mount systemctl restart containerd

A more detailed answer: https://stackoverflow.com/a/67990395/3319341

Share:
5,385

Related videos on Youtube

Max Koshel
Author by

Max Koshel

I am a results orientated front-end engineer. I am focused on the development of semantic, usable and accessible web applications. I am also self-motivated and I'm able to concentrate, research and analyze. I'm honest, open-minded, non-conflict and positive person. I am interested in continuous growth and learning new things. I'm not afraid challenges. CV: https://linkedin.com/in/maxkoshel/en

Updated on September 18, 2022

Comments

  • Max Koshel
    Max Koshel over 1 year

    I generated a CA certificate, then issued a certificate based on it for a private registry, that located in the same GKE cluster. Put the server certificates to the private registry and the CA certificate to all GKE nodes and run:

    update-ca-certificates && systemctl restart docker

    Images are building and putting into the private registry without problems. When a pod tries to pull the an image from the repository I get an error:

    x509: certificate signed by unknown authority

    Also I tried to put the CA certificate to the docker certs.d directory (10.3.240.100:3000 — the IP address of the private registry) and restart the docker on each node of the GKE cluster, but it doesn't help too:

    /etc/docker/certs.d/10.3.240.100:3000/ca.cert

    How to solve this problem? Am I understand correctly that the GKE nodes' docker is responsible for pulling images when creating a pod?

  • Max Koshel
    Max Koshel almost 3 years
    Sorry, but your answer is useless. I've already done it, as I wrote in the topic
  • Max Koshel
    Max Koshel almost 3 years
    Thanks. Yes, it' a correct solution if a cluster is based on Docker. But as it turns out, mine is based on containerd. I found a solution and add my own answer to this question.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to choose the external IP address of a Kubernetes load balancer in Google Kubernetes Engine
Placing Files In A Kubernetes Persistent Volume Store On GKE
How to SSH to docker container in kubernetes cluster?
kubernetes Deployment. how to change container environment variables for rolling updates?
How can I mount the same persistent volume on multiple pods?
Unable to access internet on pod in private GKE cluster
kubernetes connection refused during deployment
Resize kubernetes cluster with a different machine type?
Kubernetes reports "pod didn't trigger scale-up (it wouldn't fit if a new node is added)" even though it would?
GKE ingress unable to connect to healthy service