CD发布到 k8s harbor权限验证失败

• Choerodon平台版本：0.24

• 运行环境：centos7.6

• 问题描述：发布提示
  Pulling image “c7n-harbor.xxx.com/operation-auplatform/abs-common:2021.3.24-175915-master”
  Failed to pull image “c7n-harbor.xxxx.com/operation-auplatform/abs-common:2021.3.24-175915-master”: rpc error: code = Unknown desc = failed to pull and unpack image “c7n-harbor.xxxx.com/operation-auplatform/abs-common:2021.3.24-175915-master”: failed to resolve reference “c7n-harbor.xxx.com/operation-auplatform/abs-common:2021.3.24-175915-master”: failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden
  Error: ErrImagePull

harbor-core日志：

2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:229]: OIDC CLI modifier only handles request by docker CLI or helm CLI
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:444]: can not get user information from session
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:499]: user information is nil
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:513]: using local database project manager
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:515]: creating local database security context…
2021-03-24T10:37:21Z [DEBUG] [/core/middlewares/url/handler.go:40]: in url handler, path: /v2/operation-auplatform/abs-common/manifests/2021.3.24-175915-master
2021/03/24 10:37:21 [D] [server.go:2774] | 10.64.21.196| 401 | 3.294452ms| match| HEAD /v2/operation-auplatform/abs-common/manifests/2021.3.24-175915-master r:/v2/*
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:444]: can not get user information from session
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:499]: user information is nil
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:513]: using local database project manager
2021-03-24T10:37:21Z [DEBUG] [/core/filter/security.go:515]: creating local database security context…
2021/03/24 10:37:21 [C] [panic.go:522] the request url is /service/token
2021/03/24 10:37:21 [C] [panic.go:522] Handler crashed with error ‘_xsrf’ argument missing from POST
2021/03/24 10:37:21 [C] [panic.go:522] /usr/local/go/src/runtime/panic.go:522
2021/03/24 10:37:21 [C] [panic.go:522] /harbor/src/vendor/github.com/astaxie/beego/context/context.go:80
2021/03/24 10:37:21 [C] [panic.go:522] /harbor/src/vendor/github.com/astaxie/beego/context/context.go:164
2021/03/24 10:37:21 [C] [panic.go:522] /harbor/src/vendor/github.com/astaxie/beego/controller.go:649
2021/03/24 10:37:21 [C] [panic.go:522] /harbor/src/vendor/github.com/astaxie/beego/router.go:788
2021/03/24 10:37:21 [C] [panic.go:522] /usr/local/go/src/net/http/server.go:2774
2021/03/24 10:37:21 [C] [panic.go:522] /usr/local/go/src/net/http/server.go:1878
2021/03/24 10:37:21 [C] [panic.go:522] /usr/local/go/src/runtime/asm_amd64.s:1337

请问改怎么配置？

你好，麻烦确认以下信息：（按顺序来，如果前面的进行不下去，后面的就不用看了）

1. 去 harbor 界面看看镜像存在吗？
2. 看看 harbor 仓库是否有对应的 robot 账号？
3. 看看集群中的 imagePullSecret 的账号密码在你本地能不能 docker login 来拉取镜像？

kubectl -n c7n-system logs -f harbor-harbor-core-7b646985b4-md4br
报错如下：

1、harbor镜像存在

2、robot机器人账号也存在

3、secret 信息

4、使用secret 进行docker登录

上面几步信息确认都正常，发布依然同样的错误。
更奇怪的是将仓库设置为公开权限后，
kubectl create -f deployment.yaml 执行pod正常运行，WEB发布失败。

权限私有
kubectl 执行报错跟WEB报错一样
describe pod 报错内容
Failed to pull image “c7n-harbor.xxxx.com/operation-project-no1/app0001:2021.3.25-114722-master”: rpc error: code = Unknown desc = failed to pull and unpack image “c7n-harbor.xxxx.com/operation-project-no1/app0001:2021.3.25-114722-master”: failed to resolve reference “c7n-harbor.xxxx.com/operation-project-no1/app0001:2021.3.25-114722-master”: failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden

harbor域名是直接指向集群节点的还是集群外层的其他负载均衡器呢？

主机登录robot账号后，是否能拉取镜像呢？

我现在重新部署k8s 集群使用 docker运行容器，现在可以正常拉取了！怀疑是k8s跟contrainerd层面的问题。

robot可以拉取

所有域名统一指向worker节点