前面可以通过ImagPullPolicy和ImageullSecrets指定下载镜像的策略，ServiceAccount也可以基于spec.imagePullSecret字段附带一个由下载镜像专用的Secret资源组成的列表，用于在容器创建时，从某个私有镜像仓库下载镜像文件之前的服务认证。

1.创建Secrets资源

这里根据自己的实际去定义即可；一定要是对方的地址和认证信息；否则无法pull/push

root@ks-master01-10:~# kubectl create secret docker-registry \> aliyun-haitang-registry \> --docker-server=registry.cn-hangzhou.aliyuncs.com \> --docker-username=xxxxxxx\> --docker-password=xxxxxxsecret/aliyun-haitang-registry created

1.1查看Secrets

root@ks-master01-10:~#  kubectl describe secret aliyun-haitangName:         aliyun-haitangNamespace:    defaultLabels:       <none>Annotations:  <none>Type:  kubernetes.io/dockerconfigjsonData====.dockerconfigjson:  140 bytes

2.创建ServiceAccount

2.1不设置任何策略，测试是否能拉取私有仓库镜像

此处不配置任何镜像拉取策略，测试是否能拉取私有仓库镜像；

root@ks-master01-10:~#  cat pod-serviceaccount-secret.yaml apiVersion: v1kind: Podmetadata:  name: stree-serviceaccountspec:  containers:  - name: stree    image: registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest

2.2查看Pod，处于ErrImage

root@ks-master01-10:~# kubectl get podsNAME                                      READY   STATUS         RESTARTS       AGEstree-serviceaccount                      0/1     ErrImagePull   0              8s

2.3describe查看Events

可以看到事件，是Docker认证的问题；

root@ks-master01-10:~# kubectl describe pods stree-serviceaccountEvents:  Type     Reason     Age               From               Message  ----     ------     ----              ----               -------  Normal   Scheduled  20s               default-scheduler  Successfully assigned default/stree-serviceaccount to ks-node02-12  Normal   BackOff    17s               kubelet            Back-off pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"  Warning  Failed     17s               kubelet            Error: ImagePullBackOff  Normal   Pulling    2s (x2 over 19s)  kubelet            Pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"  Warning  Failed     2s (x2 over 18s)  kubelet            Failed to pull image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for registry.cn-hangzhou.aliyuncs.com/lengyuye/stress, repository does not exist or may require 'docker login': denied: requested access to the resource is denied  Warning  Failed     2s (x2 over 18s)  kubelet            Error: ErrImagePull

2.4创建ServiceAccount

aliyun-haitang是docker-registry类型的Secrets对象，由用户提前手动创建，它可以通过键值数据提供docker仓库服务器的地址，接入服务器的用户名，密码及用户的电子邮件信息等，认证通过后，引用ServiceAccount的Pod资源即可从指定的镜像仓库下载image。

root@ks-master01-10:~# cat serviceaccount-imagepullsecret.yaml apiVersion: v1kind: ServiceAccountmetadata:   name: imagepull-aliyun-saimagePullSecrets:- name: aliyun-haitangroot@ks-master01-10:~# kubectl apply -f serviceaccount-imagepullsecret.yaml serviceaccount/imagepull-aliyun-sa created

2.5查看SA

root@ks-master01-10:~# kubectl get sa imagepull-aliyun-sa -o yamlapiVersion: v1imagePullSecrets:- name: aliyun-haitangkind: ServiceAccountmetadata:  annotations:    kubectl.kubernetes.io/last-applied-configuration: |      {"apiVersion":"v1","imagePullSecrets":[{"name":"aliyun-haitang"}],"kind":"ServiceAccount","metadata":{"annotations":{},"name":"imagepull-aliyun-sa","namespace":"default"}}  creationTimestamp: "2022-09-07T02:31:05Z"  name: imagepull-aliyun-sa  namespace: default  resourceVersion: "226300"  uid: fabc93b1-572c-4703-a2dd-465d4e0915cbsecrets:- name: imagepull-aliyun-sa-token-vf67z

2.6Pod引用ServiceAccount

root@ks-master01-10:~# cat pod-serviceaccount-secret.yaml apiVersion: v1kind: Podmetadata:  name: stree-serviceaccount   spec:  serviceAccount: imagepull-aliyun-sa   # 这里则是创建的sa的名称  containers:  - name: stree    image: registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latestroot@ks-master01-10:~/rbac# kubectl apply -f pod-serviceaccount-secret.yaml pod/stree-serviceaccount created

3.创建Pod测试；

3.1查看Pod

root@ks-master01-10:~# kubectl get podsNAME                                      READY   STATUS    RESTARTS       AGEstree-serviceaccount                      1/1     Running   0              8s

3.2describe查看事件

root@ks-master01-10:~# kubectl describe pods stree-serviceaccountEvents:  Type    Reason     Age    From               Message  ----    ------     ----   ----               -------  Normal  Scheduled  3m36s  default-scheduler  Successfully assigned default/stree-serviceaccount to ks-node02-12  Normal  Pulling    3m35s  kubelet            Pulling image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest"  Normal  Pulled     3m33s  kubelet            Successfully pulled image "registry.cn-hangzhou.aliyuncs.com/lengyuye/stress:latest" in 1.729555429s  Normal  Created    3m33s  kubelet            Created container stree  Normal  Started    3m33s  kubelet            Started container stree

3.3查看详细信息

root@ks-master01-10:~# kubectl get pods stree-serviceaccount -o yaml  imagePullSecrets:  - name: aliyun-haitang  nodeName: ks-node02-12  preemptionPolicy: PreemptLowerPriority  priority: 0  restartPolicy: Always  schedulerName: default-scheduler  securityContext: {}  serviceAccount: imagepull-aliyun-sa  serviceAccountName: imagepull-aliyun-sa