k8s无脑系列(八)- 部署Jenkins

k8s无脑系列(八)- 部署Jenkins

2. 开始部署

2.1 创建一个命名空间

$kubectl create namespace jenkins

2.2 创建Jenkins存储空间jenkins-storage.yaml

本例使用NFS,在NFS中添加相关记录

apiVersion: v1
kind: PersistentVolume
metadata:
  name: jekins-pv
spec:
  capacity:
    storage: 20Gi
  accessModes:
  - ReadWriteMany
  persistentVolumeReclaimPolicy: Delete
  nfs:
    server: 192.168.56.4
    path: /data/nfs/jekins

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: jenkins-pvc
  namespace: jenkins
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 20Gi

2.3 创建账户与权限

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins-sa
  namespace: jenkins

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins-cluster-role
rules:
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: jenkins-cluster-role-binding
  namespace: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  # 角色的名字
  name: jenkins-cluster-role
subjects:
  - kind: ServiceAccount
    # 账户的名字
    name: jenkins-sa
    namespace: jenkins
  • 校验创建是否成功
  $kubectl describe clusterrole jenkins-cluster-role  
  Name:         jenkins-cluster-role
  Labels:       <none>
  Annotations:  <none>
  PolicyRule:
  Resources               Non-Resource URLs  Resource Names  Verbs
  ---------               -----------------  --------------  -----
  pods/exec               []                 []              [create delete get list patch update watch]
  pods                    []                 []              [create delete get list patch update watch]
  services                []                 []              [create delete get list watch patch update]
  deployments.apps        []                 []              [create delete get list watch patch update]
  deployments.extensions  []                 []              [create delete get list watch patch update]
  pods/log                []                 []              [get list watch]
  secrets                 []                 []              [get]

可以看到已经创建成功

kubectl describe clusterrolebinding jenkins-cluster-role
Name:         jenkins-cluster-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  jenkins-cluster-role
Subjects:
  Kind            Name        Namespace
  ----            ----        ---------
  ServiceAccount  jenkins-sa  jenkins

可以看到“角色”与“账户”已经绑定

3. 回顾物料准备情况

名称 作用 备注
namespace jenkins 命名空间 为了安全进行空间隔离
pv,pvc jekins-pv 存储 Jenkins集成过程需要
ServiceAccount jenkins-sa 操作账户
ClusterRole jenkins-cluster-role 集群角色 Jenkins自动部署
需要操作集群所以需要此项

3.1 开始部署

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jenkins-deploy
  namespace: jenkins
spec:
  selector:
    matchLabels:
      app: jenkins-pod
  template:
    metadata:
      labels:
        app: jenkins-pod
    spec:
      terminationGracePeriodSeconds: 10
      serviceAccount: jenkins-sa
      imagePullSecrets:
      - name: jenkins-secret
      containers:
      - name: jenkins
        image: registry.i.smokelee.com/devops/jenkins:lts
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080
          name: web
          protocol: TCP
        - containerPort: 50000
          name: agent
          protocol: TCP
        resources:
          limits:
            cpu: 1000m
            memory: 1Gi
          requests:
            cpu: 500m
            memory: 512Mi
        livenessProbe:
          httpGet:
            path: /login
            port: 8080
          initialDelaySeconds: 60
          timeoutSeconds: 5
          failureThreshold: 12
        readinessProbe:
          httpGet:
            path: /login
            port: 8080
          initialDelaySeconds: 60
          timeoutSeconds: 5
          failureThreshold: 12
        volumeMounts:
        - name: jenkinshome
          subPath: jenkins
          mountPath: /var/jenkins_home
        env:
        - name: LIMITS_MEMORY
          valueFrom:
            resourceFieldRef:
              resource: limits.memory
              divisor: 1Mi
        - name: JAVA_OPTS
          value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85 -Duser.timezone=Asia/Shanghai
      securityContext:
        fsGroup: 1000
      volumes:
      - name: jenkinshome
        persistentVolumeClaim:
          claimName: jenkins-pvc

---
apiVersion: v1
kind: Service
metadata:
  name: jenkins-svc
  namespace: jenkins
  labels:
    app: jenkins-svc
spec:
  selector:
    app: jenkins-pod
  ports:
  - name: web
    port: 8080
    targetPort: web
  - name: agent
    port: 50000
    targetPort: agent

4. 多句嘴

很多人在编写YAML的过程中,关于名字经常性的用一种,比如上面的delpoyment,所有的名字都用jekins。确实很容易学也不容易出错(这个某种程度上对)
但这非常不好!容易误导,也是个坏习惯。最佳的方法是仔细了解名字的范围和用途。必须搞清楚,哪个对象去
通过标签选择哪些资源!
比如

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jenkins-deploy  ---这个名字是deployment的名字,名字,名字不是标签
  namespace: jenkins
spec:
  selector:
    matchLabels:
      app: jenkins-pod  ---这个名字必须与 template下的labels保持一致,因为是deployment.Spec.Selector去选择集群中已经创建好的标签为"app: jenkins-pod"的POD
  template:
    metadata:
      labels:
        app: jenkins-pod 根据template创建的pod才会有的标签!与deployment.Spec.Selector中的matchLabels相呼应!
上一篇:Kubernetes本地共享,网络共享,pv,pvc卷挂载示例


下一篇:[台服公主链接]提取global-metadata.dat