kind: Failed to pull image. certificate signed by unknown authority. Proxy

Hello there. I’m behind a proxy that wrap the docker.io certificate by a compagny certificate. This result in pull error. here the pod log when trying to deploy the kubernetes dashboard:

Type     Reason     Age                  From                         Message
  ----     ------     ----                 ----                         -------
  Normal   Scheduled  11m                  default-scheduler            Successfully assigned kubernetes-dashboard/kubernetes-dashboard-6bb65fcc49-hfgx8 to kind-control-plane
  Normal   Pulling    9m42s (x4 over 11m)  kubelet, kind-control-plane  Pulling image "kubernetesui/dashboard:v2.0.0-beta4"
  Warning  Failed     9m42s (x4 over 11m)  kubelet, kind-control-plane  Failed to pull image "kubernetesui/dashboard:v2.0.0-beta4": rpc error: code = Unknown desc = failed to resolve image "docker.io/kubernetesui/dashboard:v2.0.0-beta4": no available registry endpoint: failed to fetch anonymous token: Get https://auth.docker.io/token?scope=repository%3Akubernetesui%2Fdashboard%3Apull&service=registry.docker.io: x509: certificate signed by unknown authority
  Warning  Failed     9m42s (x4 over 11m)  kubelet, kind-control-plane  Error: ErrImagePull
  Warning  Failed     6m (x22 over 11m)    kubelet, kind-control-plane  Error: ImagePullBackOff
  Normal   BackOff    55s (x44 over 11m)   kubelet, kind-control-plane  Back-off pulling image "kubernetesui/dashboard:v2.0.0-beta4"

So my question is: how can I inject CA cert of my company into the cluster?

Thanks a lot !

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 16 (6 by maintainers)

Most upvoted comments

I created a small script to send cert files and restart containerd in all kind nodes.

./kind-load-cafile [-n name] certfile...

In actuality, I want kind to officially support loading cert files, like kind load certfile.

+6
superbrothers on Mar 11, 2020

It works ! Thanks.

The config I used:

kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha3
nodes:
- role: control-plane
  extraMounts:
   - hostPath: /home/nico/Desktop/corporate.crt
     containerPath: /usr/share/ca-certificates/corporate.crt

Then started the cluster

kind create cluster --config kind-config.yml

Then connect into the container

docker exec -it kind-control-plane /bin/bash

Then update certs

root@kind-control-plane:/# update-ca-certificates

BTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.

Thanks for you support and your work on this project !

+6
Sispheor on Oct 25, 2019

It works ! Thanks.

The config I used:

kind: Cluster
apiVersion: kind.sigs.k8s.io/v1alpha3
nodes:
- role: control-plane
  extraMounts:
   - hostPath: /home/nico/Desktop/corporate.crt
     containerPath: /usr/share/ca-certificates/corporate.crt

Then started the cluster

kind create cluster --config kind-config.yml

Then connect into the container

docker exec -it kind-control-plane /bin/bash

Then update certs

root@kind-control-plane:/# update-ca-certificates

BTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.

Thanks for you support and your work on this project !

This works for me. Additional step I had to add is to restart the kind-control-plane container, i.e. docker stop and then docker start.

+2
stevenpeh on Feb 19, 2020

i would probably restart containerd instead of the entire node, docker exec kind-control-plane systemctl restart containerd or something like that.

On Tue, Feb 18, 2020 at 4:29 PM stevenpeh notifications@github.com wrote:

It works ! Thanks.

The config I used:

kind: ClusterapiVersion: kind.sigs.k8s.io/v1alpha3nodes:

  • role: control-plane extraMounts:
    • hostPath: /home/nico/Desktop/corporate.crt containerPath: /usr/share/ca-certificates/corporate.crt

Then started the cluster

kind create cluster --config kind-config.yml

Then connect into the container

docker exec -it kind-control-plane /bin/bash

Then update certs

root@kind-control-plane:/# update-ca-certificates

BTW, it would be nice to have the possibility of executing command at the end the deployment by placing them in the config file.

Thanks for you support and your work on this project !

This works for me. Additional step I had to add is to restart the kind-control-plane container, i.e. docker stop and then docker start.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/kind/issues/1010?email_source=notifications&email_token=AAHADK47HVS7BU2XHITAHYTRDR4NLA5CNFSM4JEVSUCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMF4GOA#issuecomment-587973432, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHADK5CMJIVQBWL77GKOYLRDR4NLANCNFSM4JEVSUCA .

+1
BenTheElder on Feb 19, 2020

In my case, containerPath: /usr/local/share/ca-certificates/corporate.crt is correct.

+1
Hokwang on Dec 20, 2019
Read more comments on GitHub
← kind: Failed to interact with cluster in wsl2
kind: Failed to setup k8s cluster on AArch64 plaform →