This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Troubleshoot Kubernetes ErrorImagePullBackOff

Go to solution
echwallah
Advisor

‎24 Mar 2023 07:54 AM

 

ImagePullBackoff error on OneAgent and ActiveGate pods

The underlying host's container runtime doesn't contain the certificate presented by your endpoint.

Note: The skipCertCheck field in the DynaKube YAML does not control this certificate check.

Example error (the error message may vary):

 

copydownload
desc = failed to pull and unpack image "<environment>/linux/activegate:latest": failed to resolve reference "<environment>/linux/activegate:latest": failed to do request: Head "<environment>/linux/activegate/manifests/latest": x509: certificate signed by unknown authority
Warning Failed ... Error: ErrImagePull
Normal BackOff ... Back-off pulling image "<environment>/linux/activegate:latest"
Warning Failed ... Error: ImagePullBackOff

In this example, if the description on your pod shows x509: certificate signed by unknown authority, you must fix the certificates on your Kubernetes hosts, or use the private repository configuration to store the images.

The documentation does not explicitly describe how to fix the Certificates on Kubernetes Hosts but just mention they need to be fixed.

Does anyone have a stepwise guide on how to fix this by resolving the certificate issue

Dynatrace Certified Associate
Labels:
0 Kudos
Reply
4 REPLIES 4

Go to solution
shahinm
Dynatrace Guide
Dynatrace Guide

‎24 Mar 2023 08:26 AM

The documentation does not describe the fix because 1) it is not Dynatrace product-related issue, 2) each environment has security requirements and technology dependency. The issue occurs because your container runtime client, which is responsible for pulling images from an image repository, does not trust the cert provided by that resource.

To solve this certificate issue, you need to add the certificate of the private image repository to the trusted CA (Certificate Authority) of your Kubernetes/Openshift cluster.

Reply

Go to solution
CosmicDu5t
Newcomer

‎29 Mar 2023 01:56 PM

I had a similar issue and resolved it by putting the Certificate Authority certificate in a file called ca.crt under /etc/docker/certs.d/<environment URL:port>

Reply

Go to solution
steven_torres
Participant

‎13 Jun 2023 06:00 PM - edited ‎13 Jun 2023 06:03 PM

We are having the same issue in Openshift 4.x. We confirmed the skip auth is set to true in the yaml. Per your solution, I have the ca.cert but I don't know where do I place this ca.cert bundle from the openshift end to get this resolved?

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to steven_torres

‎13 Jun 2023 09:25 PM

I believe this is what you are looking for https://docs.openshift.com/container-platform/4.10/openshift_images/image-configuration.html and look for additionalTrustedCA 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply
Ask a question

Featured Posts