ImagePullBackOff due to lack of node-client-ca.crt
Environment
- OpenShift Container Platform
- 3.10
Issue
- After redeploying bootstrap kubeconfig certificate, pulling images from the local registry is failing with the following error:
Failed to pull image "docker-registry.default.svc:5000": rpc error: code = Unknown desc = open /etc/docker/certs.d/docker-registry.default.svc:5000/node-client-ca.crt: no such file or directory
Resolution
- Recreate the symlink that exists between the node certificate (created when atomic-openshift-node is started), and the docker certificate:
# ln -s /etc/origin/node/node-client-ca.crt /etc/docker/certs.d/docker-registry.default.svc:5000/node-client-ca.crt
- Restart node services:
# systemctl restart docker
# systemctl restart atomic-openshift-node
- If the node certificate does not exist in /etc/origin/node/node-client-ca.crt, you will need to follow the steps in this KCS, which deals with a missing bootstrap kubeconfig.
Root Cause
- The symbolic link allows the docker pull to reference the node certificate located in /etc/origin/node/node-client-ca.crt. Without it, the pull will not trust the registry.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments