在扫描注册表映像时看到错误“x509:由未知授权机构签名的证书” Prisma Cloud
17837
Created On 04/25/22 09:28 AM - Last Modified 03/02/23 03:58 AM
Symptom
- 扫描注册表映像时出现以下错误:
Failed to pull image xxxxxxxreg/xxxxxxx:v1.0.0, error Error initializing source docker://registry.xxxxx/xxxxx/xxxxxxx:v1.0.0: error pinging docker registry registry.xxxxx: Get "https://urldefense.com/v3/__https://registry.xxxxx/v2/__;!!Gt_FR42WkD9csi9Y!NYhH91g2nYoQOfa3jNTZVtUdvAwu-vt30mQ2XXiY-cvy0sjkmol_xx8S-U0uKSRnm_zIxg$ ": x509: certificate signed by unknown authority
Environment
- Prisma Cloud 计算企业版
- Prisma Cloud 计算自托管
- 容器运行时
- CRI-O
Cause
- 尚未发现证书路径Prisma Cloud计算。
- 使用 Containerd Runtime 时,注册表证书的默认路径是 /etc/containerd。
- Prisma Cloud Compute 尚未能够在 /etc/containerd 下发现注册表证书。
- 直到 22.01.xxxPrisma Cloud计算仅支持 /etc/containers/certs.d/$REGISTRY_NAME/ 或 /etc/docker/certs.d/$REGISTRY_NAME/
Resolution
- 在 Defender 上创建一个目录节点如下所示 :
/etc/containers/certs.d/$REGISTRY_NAME/ or /etc/docker/certs.d/$REGISTRY_NAME/
- 注意:从 Kepler(22.06+) 开始,支持多一个文件夹:
/etc/containerd/certs.d/$REGISTRY_NAME/
- 将证书放入$REGISTRY_NAME文件夹。
- 证书名称无关紧要,只要证书存在于注册表文件夹中即可。
- 对于container defender,修改容器的daemon set yaml文件挂载文件夹。 这是示例:
- 命令:
kubectl edit ds -n twistlock twistlock-defender-ds
- 在“volumeMounts:”下添加:
- name: registry-scan mountPath: /etc/docker/certs.d - name: registry-scan2 mountPath: /etc/containers/certs.d - name: registry-scan3 mountPath: /etc/containerd/certs.d - 在“卷:”下添加:
- name: registry-scan hostPath: path: /etc/docker/certs.d type: '' - name: registry-scan2 hostPath: path: /etc/containers/certs.d type: '' - name: registry-scan3 hostPath: path: /etc/containerd/certs.d type: ''
- 命令:
NOTE :截至目前,上述步骤是可用于此问题的唯一适用解决方案。
Additional Information
配置注册表扫描