Guidelines

This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

0 votes
72 views
72 views

At work I'm behind a corporate proxy intercepting HTTPS connections. When trying to deploy a pod on my local Kubernetes test system (Minikube) I'm getting ImagePullBackOff errors like this:

me@localhost:~$ kubectl get pod -A
NAMESPACE   NAME                     READY   STATUS             RESTARTS   AGE
default     test-7cdb456854-kt77d    0/1     ImagePullBackOff   0          5m16s

Inspecting the pod shows a certificate error:

me@localhost:~$ kubectl describe pod -n default test-7cdb456854-kt77d
[...]
Events:
  Type     Reason     Age                   From          Message
  ----     ------     ----                  ----          -------
  Normal   Pulling    3m44s (x4 over 5m8s)  kubelet       Pulling image "busybox"
  Warning  Failed     3m44s (x4 over 5m3s)  kubelet       Failed to pull image "busybox": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-1.docker.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
  Warning  Failed     3m44s (x4 over 5m3s)  kubelet       Error: ErrImagePull
  Warning  Failed     3m20s (x6 over 5m3s)  kubelet       Error: ImagePullBackOff
  Normal   BackOff    3m7s (x7 over 5m3s)   kubelet       Back-off pulling image "busybox"

Error message:

Error response from daemon: Get "https://registry-1.docker.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

However, the ca-certificates package is installed, and the CA certificate for the corporate proxy has already been added to the system's CA certificates.

in Sysadmin
edited by
by (125)
3 20 38
edit history

Please log in or register to answer this question.

1 Answer

0 votes
 

Stop Miniube and add the proxy CA certificate to the Minikube config:

cp /path/to/proxy_ca.crt ~/.minikube/certs/

The certificate must be in PEM format. Should it be in DER format you need to convert it:

openssl x509 -inform der -in /path/to/proxy_ca.cer -out ~/.minikube/certs/proxy_ca.crt

Then start Minikube with the following command:

minikube start --embed-certs

Source: Minikube Handbook, chapter "Certificates"

by (125)
3 20 38
edit history
...