Getting "x509: certificate signed by unknown authority" even with "--insecure-skip-tls-verify" option in Kubernetes

Question

I have a private Docker image registry running on a Linux VM (10.78.0.228:5000) and a Kubernetes master running on a different VM running Centos Linux 7.

I used the below command to create a POD:
kubectl create --insecure-skip-tls-verify -f monitorms-rc.yml

I get this:

sample monitorms-mmqhm 0/1 ImagePullBackOff 0 8m

and upon running: kubectl describe pod monitorms-mmqhm --namespace=sample

Warning Failed Failed to pull image "10.78.0.228:5000/monitorms": Error response from daemon: {"message":"Get https://10.78.0.228:5000/v1/_ping: x509: certificate signed by unknown authority"}

Isn't Kubernetes supposed to ignore the server certificate for all operations during POD creation when the --insecure-skip-tls-verify is passed?

If not, how do I make it ignore the tls verification while pulling the docker image?

PS:

Kubernetes version :

Client Version: v1.5.2 Server Version: v1.5.2

I have raised this issue here: https://github.com/kubernetes/kubernetes/issues/43924

Answer 1

The issue you're seeing is actually a docker issue. Using --insecure-skip-tls-verify is a valid arg to kubectl, but it only deals with the connecition between kubectl and the kubernetes API server. The error you're seeing is actually because the docker daemon cannot login to the private registry because the cert it's using in unsigned.

Have a look at the Docker insecure registry docs and this should solve your problem.