k8s部署持续集成环境

安装前的准备:
关闭防火墙
关闭selinux
安装docker-ce
1、安装harbor参考前面笔记
2、安装并配置git,参考前面笔记
3、在git这台部署nfs服务器,并且在各个节点安装nfs-utils客户端
4、创建nfs-client-provisioner客户端
cat class.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: managed-nfs-storage
provisioner: fuseim.pri/ifs # or choose another name, must match deployment's env PROVISIONER_NAME'
parameters:
archiveOnDelete: "true"

cat deployment.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfs-client-provisioner

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: nfs-client-provisioner
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: nfs-client-provisioner
spec:
serviceAccountName: nfs-client-provisioner
containers:

  • name: nfs-client-provisioner
    image: lizhenliang/nfs-client-provisioner:latest
    volumeMounts:
    • name: nfs-client-root
      mountPath: /persistentvolumes
      env:
    • name: PROVISIONER_NAME
      value: fuseim.pri/ifs
    • name: NFS_SERVER
      value: 192.168.31.64
    • name: NFS_PATH
      value: /ifs/kubernetes
      volumes:

  • name: nfs-client-root
    nfs:
    server: 192.168.31.64
    path: /ifs/kubernetes
    cat rbac.yaml
    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: nfs-client-provisioner

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: nfs-client-provisioner-runner
    rules:

    • apiGroups: [""]
      resources: ["persistentvolumes"]
      verbs: ["get", "list", "watch", "create", "delete"]
    • apiGroups: [""]
      resources: ["persistentvolumeclaims"]
      verbs: ["get", "list", "watch", "update"]
    • apiGroups: ["storage.k8s.io"]
      resources: ["storageclasses"]
      verbs: ["get", "list", "watch"]

    • apiGroups: [""]
      resources: ["events"]
      verbs: ["create", "update", "patch"]

      kind: ClusterRoleBinding
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
      name: run-nfs-client-provisioner
      subjects:

    • kind: ServiceAccount
      name: nfs-client-provisioner
      namespace: default
      roleRef:
      kind: ClusterRole
      name: nfs-client-provisioner-runner
      apiGroup: rbac.authorization.k8s.io

      kind: Role
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
      name: leader-locking-nfs-client-provisioner
      rules:

    • apiGroups: [""]
      resources: ["endpoints"]
      verbs: ["get", "list", "watch", "create", "update", "patch"]

      kind: RoleBinding
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
      name: leader-locking-nfs-client-provisioner
      subjects:

    • kind: ServiceAccount
      name: nfs-client-provisioner

      replace with namespace where provisioner is deployed

      namespace: default
      roleRef:
      kind: Role
      name: leader-locking-nfs-client-provisioner
      apiGroup: rbac.authorization.k8s.io
      5、部署jenkins服务器,前提是需要部署k8s的core-dns(安装coredns查看前面笔记),否则没法做解析就没法安装插件
      cat ingress.yml
      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
      name: jenkins
      annotations:
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      kubernetes.io/tls-acme: "true"

      如果上传插件超出默认会报"413 Request Entity Too Large", 增加 client_max_body_size

      nginx.ingress.kubernetes.io/proxy-body-size: 50m
      nginx.ingress.kubernetes.io/proxy-request-buffering: "off"

      nginx-ingress controller版本小于 0.9.0.beta-18 的配置

      ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: 50m
      ingress.kubernetes.io/proxy-request-buffering: "off"
      spec:
      rules:

    • host: jenkins.example.com
      http:
      paths:

      • path: /
        backend:
        serviceName: jenkins
        servicePort: 80
        cat rbac.yml

        创建名为jenkins的ServiceAccount

        apiVersion: v1
        kind: ServiceAccount
        metadata:
        name: jenkins

创建名为jenkins的Role,授予允许管理API组的资源Pod

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:

  • apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  • apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  • apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  • apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]

将名为jenkins的Role绑定到名为jenkins的ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:

  • kind: ServiceAccount
    name: jenkins

cat service.yml
apiVersion: v1
kind: Service
metadata:
name: jenkins
spec:
selector:
name: jenkins
type: NodePort
ports:

  name: http
  port: 80
  targetPort: 8080
  protocol: TCP
  nodePort: 30006
-
  name: agent
  port: 50000
  protocol: TCP

cat statefulset.yml
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: jenkins
labels:
name: jenkins
spec:
serviceName: jenkins
replicas: 1
updateStrategy:
type: RollingUpdate
template:
metadata:
name: jenkins
labels:
name: jenkins
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: jenkins
containers: (如果出现dns没法解析的情况,需要在container这 一行上面加一行dnsPolicy: Default)

  • name: jenkins
    image: jenkins/jenkins
    imagePullPolicy: Always
    ports:
    • containerPort: 8080
    • containerPort: 50000
      resources:
      limits:
      cpu: 1
      memory: 1Gi
      requests:
      cpu: 0.5
      memory: 500Mi
      env:
    • name: LIMITS_MEMORY
      valueFrom:
      resourceFieldRef:
      resource: limits.memory
      divisor: 1Mi
    • name: JAVA_OPTS
      value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
      volumeMounts:
    • name: jenkins-home
      mountPath: /var/jenkins_home
      livenessProbe:
      httpGet:
      path: /login
      port: 8080
      initialDelaySeconds: 60
      timeoutSeconds: 5
      failureThreshold: 12
      readinessProbe:
      httpGet:
      path: /login
      port: 8080
      initialDelaySeconds: 60
      timeoutSeconds: 5
      failureThreshold: 12
      securityContext:
      fsGroup: 1000
      volumeClaimTemplates:
      • metadata:
        name: jenkins-home
        spec:
        storageClassName: "managed-nfs-storage"
        accessModes: [ "ReadWriteOnce" ]
        resources:
        requests:
        storage: 1Gi
        6、使用这几个yaml文件启动安装jenkins
        PS:当提示以下出错时
        'FailedCreate' create Pod jenkins-0 in StatefulSet jenkins failed error: pods "jenkins-0" is forbidden: pod.Spec.SecurityContext.FSGroup is forbidden
        修改/opt/kubernetes/cfg/kube-apiserver,删除里面的安全字段SecurityContext
        7、使用浏览器访问http://10.1.2.190:30006进行安装(使用kubectl get svc -o wide查看jenkins当前在190这个pod运行)
        8、安装时不选择任何插件,使用手动安装插件,安装git和kubernetes插件