环境说明：

我registry搭建的环境在centos7上，在出现报错之前，已经在将registry的证书放在了/etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt 目录下，结果在kubernetes集群内部 pull 镜像时，还是出现了下面的报错：

Failed to pull image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": rpc error: code = Unknown desc = failed to pull and unpack image "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to resolve reference "registry.xxxxxxxxx.cn/xxxxxxxxx-server:0.0.11": failed to do request: Head "https://registry.xxxxxxxxx.cn/v2/xxxxxxxxx-server/manifests/0.0.11": x509: certificate signed by unknown authority

• 在 kubernetes 集群外部用 nerdctl pull 镜像时没问题的，能读取 /etc/containerd/certs.d/domin/domain.crt 证书，并认证成功

这里猜测是kubernetes不会去自动读取镜像私有仓库的证书

解决步骤

cp /etc/containerd/certs.d/registry.xxxxxxxxx.cn/registry.xxxxxxxxx.cn.crt /etc/pki/ca-trust/source/anchors/
ln -s /etc/pki/ca-trust/source/anchors/registry.xxxxxxxxx.cn.crt /etc/ssl/certs/registry.xxxxxxxxx.cn.crt
update-ca-trust 
systemctl restart containerd # 可能只需要这一步就可以了

• 先是按照centos 导入证书的操作，导入 domain.crt
• 再是重启 containerd。（这里我就没有继续细化去验证了，我觉得不导入domain.crt ，直接重启 containerd 也能解决问题。）

OK。