Appendix C. Configuring Docker to Push or Pull from an Insecure Registry
The Docker runtime establishes trust of a remote image registry based on the validity of its Transport Layer Security (TLS) certificate. If your cluster uses a self-signed certificate, Docker will consider it “insecure” by default.
You can confirm the allowed insecure registries for your Docker runtime by using the docker info
command, as demonstrated here:
docker info| grep -A 20 "Insecure Registries" Insecure Registries: mycluster.icp:8500 127.0.0.0/8 Live Restore Enabled: false
Configuring the insecure registries for your platform may vary a bit, but the basic flow is to extend the DOCKER_OPTS to explicitly list each insecure registry that the Docker runtime is allowed to interact with.
Edit the Docker daemon configuration to add the alias for your IBM Cloud Private cluster, which will be mycluster.icp:8500
, by default. Depending on your installation and platform, your configuration file might be at /etc/docker/daemon.json
, ~/.docker/daemon.json
, or C:\ProgramData\docker\config\daemon.json
.
cat ~/.docker/daemon.json { "debug" : true, "insecure-registries" : [ "mycluster.icp:8500" ], "experimental" : true }
Then, update your /etc/hosts configuration to alias this hostname (provided by the certificate when Docker connects to the endpoint) to the specific public IP of your cluster:
cat /etc/hosts | grep mycluster.icp 1.1.1.1mycluster.icp
Restart your Docker runtime to make this change effective.
To ...
Get Kubernetes in the Enterprise now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.