After Updating Private Registry Certificate, Guest Cluster Image Pulls Fail with “x509: certificate signed by unknown authority”
search cancel

After Updating Private Registry Certificate, Guest Cluster Image Pulls Fail with “x509: certificate signed by unknown authority”

book

Article ID: 413820

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • Certificates for a Private Container Registry have been recently updated and post that the pods running on the Guest Cluster are unable to pull the image and following error is observed - 
    crictl pull <Image Name> 

HH:MM:SS 1064617 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"<FQDN_of_Container_Registry>/<container name>:2024.1_interp\": failed to do request: Head \"https://<URL of Container Registry from where Image is being pulled>\": tls: failed to verify certificate: x509: certificate signed by unknown authority" image="<Image Name>"
FATA[0000] pulling image: failed to pull and unpack image "<Image Name>": failed to do request: Head "https://<URL of Container Registry from where Image is being pulled>": tls: failed to verify certificate: x509: certificate signed by unknown authority
     
  • Guest Cluster nodes (both control plane and worker) are unable to pull container images.

Environment

VMware vSphere Kubernetes Service

Cause

The updated certificate of the external container registry was not injected into the Guest Cluster. As a result, the container runtime (containerd) on Guest Cluster nodes does not trust the new certificate, leading to TLS verification failure while pulling images.

This typically occurs in TKGS clusters that use ClusterClass based configuration, where the new certificate must be explicitly added to the cluster spec.

Resolution

Powered by Wolken Software