https://rancher.com/ logo
Join Slack
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by Linen
Title
t

tall-kite-83186

06/01/2022, 12:09 PM
probably a dumb question. but I've build a docker image which is now in my private registry. While trying to install in K3s I install the related chart and reference my docker image directly but K8s pod complains it cannot find the image (imagePullBackoff). How do I tell K3s to use RD registry from wsl?
m

miniature-advantage-69986

06/01/2022, 3:32 PM
what did you meen with "privat registry"? If you do a docker build and tag the image you should be able to see the image with "docker image ls", after this you can create a pod with this image but make sure that the imagePullPolicy is set to "IfNotPresent" otherwise K3S will try to pull the image from dockerhub.
t

tall-kite-83186

06/01/2022, 3:36 PM
I can definitely see the image when doing 
nerdctl images
. I'll try the pullPolicy
Just changed the policy, now I have this: 
Failed to pull image "haproxy-agent-service-checker:latest": rpc error: code = Unknown desc = failed to pull and unpack image "<http://docker.io/library/haproxy-agent-service-checker:latest|docker.io/library/haproxy-agent-service-checker:latest>": failed to resolve reference "<http://docker.io/library/haproxy-agent-service-checker:latest|docker.io/library/haproxy-agent-service-checker:latest>": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
And the complementary event: 
Back-off pulling image "haproxy-agent-service-checker:latest"
I don't get why k3s tries to pull from docker instead of local registry
# nerdctl images
REPOSITORY                       TAG       IMAGE ID        CREATED         PLATFORM       SIZE         BLOB SIZE
haproxy-agent-service-checker    latest    164609860dc6    4 hours ago     linux/amd64    107.1 MiB    39.3 MiB
t

tall-insurance-55443

06/01/2022, 3:50 PM
You need to do something very similar to this https://docs.rancherdesktop.io/how-to-guides/hello-world-example#build-image-from-code-locally
specifically 
nerdctl --namespace <http://k8s.io|k8s.io> build --tag nginx-helloworld:latest .
t

tall-kite-83186

06/01/2022, 3:50 PM
Can't I build onto default registry and let K3s to pick in it?
Or is it bound to k8s.io ?
t

tall-insurance-55443

06/01/2022, 3:52 PM
🤷 I don’t know K3 well enough TBH But it’s one way or the other (either push it where k8s knows, or change where k8s is looking)
f

fast-garage-66093

06/01/2022, 4:39 PM
@tall-insurance-55443 is correct: you need to build the image in the 
<http://k8s.io|k8s.io>
namespace for kubernetes to "see" it. Note that these are containerd namespaces, not kubernetes namespaces, which may contribute to the confusion
t

tall-kite-83186

06/01/2022, 4:40 PM
Indeed it confuses. Can't we allow K3s to see default containerd namespace ?
f

fast-garage-66093

06/01/2022, 4:44 PM
No, this is the way k8s and containerd work; I'm not sure this is configurable, but even if it were, I would strongly recommend against it.
t

tall-kite-83186

06/01/2022, 4:44 PM
That's fine, I'll stick with k8s.io namespace
f

fast-garage-66093

06/01/2022, 4:46 PM
Note that this namespace is "owned" by kubernetes, so if you would create a container in it, kubelet would just kill it as soon as it notices. For that reason 
nerdctl -n <http://k8s.io|k8s.io> build ...
does not actually build in the target namespace, but copies/links the image over, so kubelet can see it.
t

tall-kite-83186

06/01/2022, 4:46 PM
Gotcha
Hmmm, for some reasons I still have the same issues pulling the image from k8s.io internal registry:
f

fast-garage-66093

06/01/2022, 5:27 PM
Oh, this is because you are using the 
latest
tag. It implies 
imagePullPolicy: Always
, so kubelet will check if there is a newer version of the image on the registry. You need to either specify 
imagePullPolicy: Never
in your Pod spec, or use any tag other than 
latest
.
https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
t

tall-kite-83186

06/01/2022, 5:29 PM
You got it!
Thank you Jan
👍 1
View count: 102
Back to #rancher-desktopJoin thread in Slack