2.4. 容器镜像签名

流程

1. 创建 Butane 配置文件 51-worker-rh-registry-trust.bu，其中包含 worker 节点的必要配置。

   注意

   如需有关 Butane 的信息，请参阅"使用 Butane 创建机器配置"。

   variant: openshift
   version: 4.9.0
   metadata:
     name: 51-worker-rh-registry-trust
     labels:
       machineconfiguration.openshift.io/role: worker
   storage:
     files:
     - path: /etc/containers/policy.json
       mode: 0644
       overwrite: true
       contents:
         inline: |
           {
             "default": [
               {
                 "type": "insecureAcceptAnything"
               }
             ],
             "transports": {
               "docker": {
                 "registry.access.redhat.com": [
                   {
                     "type": "signedBy",
                     "keyType": "GPGKeys",
                     "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                   }
                 ],
                 "registry.redhat.io": [
                   {
                     "type": "signedBy",
                     "keyType": "GPGKeys",
                     "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                   }
                 ]
               },
               "docker-daemon": {
                 "": [
                   {
                     "type": "insecureAcceptAnything"
                   }
                 ]
               }
             }
           }

   Copy to Clipboard Toggle word wrap

2. 使用 Butane 生成机器配置 YAML 文件 51-worker-rh-registry-trust.yaml，其中包含要写入 worker 节点上的磁盘的文件：

   $ butane 51-worker-rh-registry-trust.bu -o 51-worker-rh-registry-trust.yaml

   Copy to Clipboard Toggle word wrap

3. 应用创建的机器配置：

   $ oc apply -f 51-worker-rh-registry-trust.yaml

   Copy to Clipboard Toggle word wrap

4. 检查 worker 机器配置池已使用新机器配置推出：

   1. 检查是否创建了新机器配置：

      $ oc get mc

      Copy to Clipboard Toggle word wrap

      输出示例

      NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
      00-master                                          a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      00-worker                                          a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      01-master-container-runtime                        a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      01-master-kubelet                                  a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      01-worker-container-runtime                        a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      01-worker-kubelet                                  a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      51-master-rh-registry-trust                                                                   3.2.0             13s
      51-worker-rh-registry-trust                                                                   3.2.0             53s 

      1

      
      99-master-generated-crio-seccomp-use-default                                                  3.2.0             25m
      99-master-generated-registries                     a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      99-master-ssh                                                                                 3.2.0             28m
      99-worker-generated-crio-seccomp-use-default                                                  3.2.0             25m
      99-worker-generated-registries                     a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             25m
      99-worker-ssh                                                                                 3.2.0             28m
      rendered-master-af1e7ff78da0a9c851bab4be2777773b   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             8s
      rendered-master-cd51fd0c47e91812bfef2765c52ec7e6   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             24m
      rendered-worker-2b52f75684fbc711bd1652dd86fd0b82   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             24m
      rendered-worker-be3b3bce4f4aa52a62902304bac9da3c   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.2.0             48s 

      2

      Copy to Clipboard Toggle word wrap

      1

      新机器配置

      2

      新的渲染机器配置

   2. 检查 worker 机器配置池是否使用新机器配置更新：

      $ oc get mcp

      Copy to Clipboard Toggle word wrap

      输出示例

      NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
      master   rendered-master-af1e7ff78da0a9c851bab4be2777773b   True      False      False      3              3                   3                     0                      30m
      worker   rendered-worker-be3b3bce4f4aa52a62902304bac9da3c   False     True       False      3              0                   0                     0                      30m 

      1

      Copy to Clipboard Toggle word wrap

      1

      当 UPDATING 字段为 True 时，机器配置池会使用新机器配置进行更新。当字段变为 False 时，代表 worker 机器配置池已应用到新机器配置。

5. 如果您的集群使用任何 RHEL7 worker 节点，当 worker 机器配置池被更新时，在 /etc/containers/registries.d 目录中在这些节点上创建 YAML 文件，用于指定给定 registry 服务器的分离签名的位置。以下示例只适用于托管在 registry.access.redhat.com 和 registry.redhat.io 中的镜像。

   1. 为每个 RHEL7 worker 节点启动一个 debug 会话：

      $ oc debug node/<node_name>

      Copy to Clipboard Toggle word wrap

   2. 将您的根目录改为 /host ：

      sh-4.2# chroot /host

      Copy to Clipboard Toggle word wrap

   3. 创建一个包含以下内容的 /etc/containers/registries.d/registry.redhat.io.yaml 文件：

      docker:
           registry.redhat.io:
               sigstore: https://registry.redhat.io/containers/sigstore

      Copy to Clipboard Toggle word wrap

   4. 创建一个包含以下内容的 /etc/containers/registries.d/registry.access.redhat.com.yaml 文件：

      docker:
           registry.access.redhat.com:
               sigstore: https://access.redhat.com/webassets/docker/content/sigstore

      Copy to Clipboard Toggle word wrap
   5. 退出 debug 会话。

流程

1. 在命令行中运行以下命令显示所需 worker 的信息：

   $ oc describe machineconfigpool/worker

   Copy to Clipboard Toggle word wrap

   初始 worker 监控的输出示例

   Name:         worker
   Namespace:
   Labels:       machineconfiguration.openshift.io/mco-built-in=
   Annotations:  <none>
   API Version:  machineconfiguration.openshift.io/v1
   Kind:         MachineConfigPool
   Metadata:
     Creation Timestamp:  2019-12-19T02:02:12Z
     Generation:          3
     Resource Version:    16229
     Self Link:           /apis/machineconfiguration.openshift.io/v1/machineconfigpools/worker
     UID:                 92697796-2203-11ea-b48c-fa163e3940e5
   Spec:
     Configuration:
       Name:  rendered-worker-f6819366eb455a401c42f8d96ab25c02
       Source:
         API Version:  machineconfiguration.openshift.io/v1
         Kind:         MachineConfig
         Name:         00-worker
         API Version:  machineconfiguration.openshift.io/v1
         Kind:         MachineConfig
         Name:         01-worker-container-runtime
         API Version:  machineconfiguration.openshift.io/v1
         Kind:         MachineConfig
         Name:         01-worker-kubelet
         API Version:  machineconfiguration.openshift.io/v1
         Kind:         MachineConfig
         Name:         51-worker-rh-registry-trust
         API Version:  machineconfiguration.openshift.io/v1
         Kind:         MachineConfig
         Name:         99-worker-92697796-2203-11ea-b48c-fa163e3940e5-registries
         API Version:  machineconfiguration.openshift.io/v1
         Kind:         MachineConfig
         Name:         99-worker-ssh
     Machine Config Selector:
       Match Labels:
         machineconfiguration.openshift.io/role:  worker
     Node Selector:
       Match Labels:
         node-role.kubernetes.io/worker:
     Paused:                              false
   Status:
     Conditions:
       Last Transition Time:  2019-12-19T02:03:27Z
       Message:
       Reason:
       Status:                False
       Type:                  RenderDegraded
       Last Transition Time:  2019-12-19T02:03:43Z
       Message:
       Reason:
       Status:                False
       Type:                  NodeDegraded
       Last Transition Time:  2019-12-19T02:03:43Z
       Message:
       Reason:
       Status:                False
       Type:                  Degraded
       Last Transition Time:  2019-12-19T02:28:23Z
       Message:
       Reason:
       Status:                False
       Type:                  Updated
       Last Transition Time:  2019-12-19T02:28:23Z
       Message:               All nodes are updating to rendered-worker-f6819366eb455a401c42f8d96ab25c02
       Reason:
       Status:                True
       Type:                  Updating
     Configuration:
       Name:  rendered-worker-d9b3f4ffcfd65c30dcf591a0e8cf9b2e
       Source:
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   00-worker
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   01-worker-container-runtime
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   01-worker-kubelet
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   99-worker-92697796-2203-11ea-b48c-fa163e3940e5-registries
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   99-worker-ssh
     Degraded Machine Count:     0
     Machine Count:              1
     Observed Generation:        3
     Ready Machine Count:        0
     Unavailable Machine Count:  1
     Updated Machine Count:      0
   Events:                       <none>

   Copy to Clipboard Toggle word wrap

2. 再次运行 oc describe 命令：

   $ oc describe machineconfigpool/worker

   Copy to Clipboard Toggle word wrap

   worker 更新后的输出示例

   ...
       Last Transition Time:  2019-12-19T04:53:09Z
       Message:               All nodes are updated with rendered-worker-f6819366eb455a401c42f8d96ab25c02
       Reason:
       Status:                True
       Type:                  Updated
       Last Transition Time:  2019-12-19T04:53:09Z
       Message:
       Reason:
       Status:                False
       Type:                  Updating
     Configuration:
       Name:  rendered-worker-f6819366eb455a401c42f8d96ab25c02
       Source:
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   00-worker
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   01-worker-container-runtime
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   01-worker-kubelet
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   51-worker-rh-registry-trust
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   99-worker-92697796-2203-11ea-b48c-fa163e3940e5-registries
         API Version:            machineconfiguration.openshift.io/v1
         Kind:                   MachineConfig
         Name:                   99-worker-ssh
     Degraded Machine Count:     0
     Machine Count:              3
     Observed Generation:        4
     Ready Machine Count:        3
     Unavailable Machine Count:  0
     Updated Machine Count:      3
   ...

   Copy to Clipboard Toggle word wrap

   注意

   Observed Generation 参数显示基于控制器生成的配置的生成数量的增加数。此控制器即使没有处理规格并生成修订，也会更新这个值。Configuration Source 值指向 51-worker-rh-registry-trust 配置。

3. 使用以下命令确认 policy.json 文件已存在：

   $ oc debug node/<node> -- chroot /host cat /etc/containers/policy.json

   Copy to Clipboard Toggle word wrap

   输出示例

   Starting pod/<node>-debug ...
   To use host binaries, run `chroot /host`
   {
     "default": [
       {
         "type": "insecureAcceptAnything"
       }
     ],
     "transports": {
       "docker": {
         "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ]
       },
       "docker-daemon": {
         "": [
           {
             "type": "insecureAcceptAnything"
           }
         ]
       }
     }
   }

   Copy to Clipboard Toggle word wrap

4. 使用以下命令确认 registry.redhat.io.yaml 文件已存在：

   $ oc debug node/<node> -- chroot /host cat /etc/containers/registries.d/registry.redhat.io.yaml

   Copy to Clipboard Toggle word wrap

   输出示例

   Starting pod/<node>-debug ...
   To use host binaries, run `chroot /host`
   docker:
        registry.redhat.io:
            sigstore: https://registry.redhat.io/containers/sigstore

   Copy to Clipboard Toggle word wrap

5. 使用以下命令确认 registry.access.redhat.com.yaml 文件已存在：

   $ oc debug node/<node> -- chroot /host cat /etc/containers/registries.d/registry.access.redhat.com.yaml

   Copy to Clipboard Toggle word wrap

   输出示例

   Starting pod/<node>-debug ...
   To use host binaries, run `chroot /host`
   docker:
        registry.access.redhat.com:
            sigstore: https://access.redhat.com/webassets/docker/content/sigstore

   Copy to Clipboard Toggle word wrap