How to resolve a problem "certificate signed by unknown authority" in GKE on pulling image (a private registry) when a pod is created?

I generated a CA certificate, then issued a certificate based on it for a private registry, that located in the same GKE cluster. Put the server certificates to the private registry and the CA certificate to all GKE nodes and run:

update-ca-certificates && systemctl restart docker

Images are building and putting into the private registry without problems. When a pod tries to pull the an image from the repository I get an error:

x509: certificate signed by unknown authority

Also I tried to put the CA certificate to the docker certs.d directory (10.3.240.100:3000 — the IP address of the private registry) and restart the docker on each node of the GKE cluster, but it doesn’t help too:

/etc/docker/certs.d/10.3.240.100:3000/ca.cert

How to solve this problem? Am I understand correctly that the GKE nodes’ docker is responsible for pulling images when creating a pod?

Source: Docker Questions

LEAVE A COMMENT