k8s无脑系列(八)- 部署Jenkins
2. 开始部署
2.1 创建一个命名空间
$kubectl create namespace jenkins
2.2 创建Jenkins存储空间jenkins-storage.yaml
本例使用NFS,在NFS中添加相关记录
apiVersion: v1
kind: PersistentVolume
metadata:
name: jekins-pv
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Delete
nfs:
server: 192.168.56.4
path: /data/nfs/jekins
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jenkins-pvc
namespace: jenkins
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
2.3 创建账户与权限
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-sa
namespace: jenkins
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins-cluster-role
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: jenkins-cluster-role-binding
namespace: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
# 角色的名字
name: jenkins-cluster-role
subjects:
- kind: ServiceAccount
# 账户的名字
name: jenkins-sa
namespace: jenkins
- 校验创建是否成功
$kubectl describe clusterrole jenkins-cluster-role
Name: jenkins-cluster-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods/exec [] [] [create delete get list patch update watch]
pods [] [] [create delete get list patch update watch]
services [] [] [create delete get list watch patch update]
deployments.apps [] [] [create delete get list watch patch update]
deployments.extensions [] [] [create delete get list watch patch update]
pods/log [] [] [get list watch]
secrets [] [] [get]
可以看到已经创建成功
kubectl describe clusterrolebinding jenkins-cluster-role
Name: jenkins-cluster-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: jenkins-cluster-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount jenkins-sa jenkins
可以看到“角色”与“账户”已经绑定
3. 回顾物料准备情况
名称 | 值 | 作用 | 备注 |
---|---|---|---|
namespace | jenkins | 命名空间 | 为了安全进行空间隔离 |
pv,pvc | jekins-pv | 存储 | Jenkins集成过程需要 |
ServiceAccount | jenkins-sa | 操作账户 | |
ClusterRole | jenkins-cluster-role | 集群角色 | Jenkins自动部署 需要操作集群所以需要此项 |
3.1 开始部署
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins-deploy
namespace: jenkins
spec:
selector:
matchLabels:
app: jenkins-pod
template:
metadata:
labels:
app: jenkins-pod
spec:
terminationGracePeriodSeconds: 10
serviceAccount: jenkins-sa
imagePullSecrets:
- name: jenkins-secret
containers:
- name: jenkins
image: registry.i.smokelee.com/devops/jenkins:lts
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: web
protocol: TCP
- containerPort: 50000
name: agent
protocol: TCP
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /login
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
readinessProbe:
httpGet:
path: /login
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
failureThreshold: 12
volumeMounts:
- name: jenkinshome
subPath: jenkins
mountPath: /var/jenkins_home
env:
- name: LIMITS_MEMORY
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: 1Mi
- name: JAVA_OPTS
value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85 -Duser.timezone=Asia/Shanghai
securityContext:
fsGroup: 1000
volumes:
- name: jenkinshome
persistentVolumeClaim:
claimName: jenkins-pvc
---
apiVersion: v1
kind: Service
metadata:
name: jenkins-svc
namespace: jenkins
labels:
app: jenkins-svc
spec:
selector:
app: jenkins-pod
ports:
- name: web
port: 8080
targetPort: web
- name: agent
port: 50000
targetPort: agent
4. 多句嘴
很多人在编写YAML的过程中,关于名字经常性的用一种,比如上面的delpoyment,所有的名字都用jekins。确实很容易学也不容易出错(这个某种程度上对)
但这非常不好!容易误导,也是个坏习惯。最佳的方法是仔细了解名字的范围和用途。必须搞清楚,哪个对象去
通过标签选择哪些资源!
比如
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins-deploy ---这个名字是deployment的名字,名字,名字不是标签
namespace: jenkins
spec:
selector:
matchLabels:
app: jenkins-pod ---这个名字必须与 template下的labels保持一致,因为是deployment.Spec.Selector去选择集群中已经创建好的标签为"app: jenkins-pod"的POD
template:
metadata:
labels:
app: jenkins-pod 根据template创建的pod才会有的标签!与deployment.Spec.Selector中的matchLabels相呼应!