K8S核心资源管理方法(CRUD)
- 陈述式管理->基于众多kubectl命令
- 声明式管理->基于k8s资源配置清单(结构化数据,json,yaml)
- GUI式管理->基于k8s仪表盘(graphy-interface,dashboard)
三个管理方式配合使用,最恰当的地方,最恰当的方式使用
K8S的CNI网络插件
- 种类众多,以flannel为例
- 三种常用的工作模式
- 优化snat规则
K8S的服务发现
kube-proxy组件,把pod网络和集群网络连接起来了
pod的ip可能是会变的,pod的ip是不能作为服务的接入点的
- 集群网络->cluster IP
- service->server name (如何找到pod资源,通过标签选择器)
- 使用coreDns软件,将集群网络与service关联起来
K8S的服务暴露
(暴露到集群外)
- ingress资源 ->专门暴露7层应用到k8s集群外的核心资源(特指http,https用的极少)
- ingress控制器 -> 简化版的nginx(流量调度) + go脚本(动态识别yaml资源配置清单)
- traefik软件 -> 实现了ingress控制器的一个软件
1.GUI 式管理->基于k8s仪表盘(dashboard)
2.成百上千计算节点的话,cni网络插件建议用ç,flanneId必须要用同一个网关
flanneId用host-gateway功能,路由是走内核的
istio也是类似
flanneId在100台以内的k8s集群内足够用了
3.flannel的snat,iptables的filter表forward链
flannel底层就是加了路由,并且iptables中添加了规则,实现了k8s集群内部,pod之间通信
7.21机器上
iptables -t filter -I FORWARD -d 172.7.21.0/24 -j ACCEPT
7.22机器上
iptables -t filter -I FORWARD -d 172.7.22.0/24 -j ACCEPT
flannel的snat规则优化非常有必要,这样,对端能记录到的真实ip
flannel的健康检查2041端口,并交于supervisorctl管理
6.dashboard插件安装
选择1.8.3版本,通过交付dashboard插件的方式将dashboard插件集成到k8s集群中来
1.10.1随后交付,比较差异性
将dashboard作为容器交付到k8s里面去三步骤
- 准备镜像
7.200机器上
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.8.3
docker images | grep dashboard
docker tag fcac9aa03fd6 harbor.od.com/public/dashboard:v1.8.3
docker push harbor.od.com/public/dashboard:v1.8.3
看harbor里有没有这个镜像
- 准备资源配置清单
(从github的kubernetes项目中的范例参考kubernetes/cluster/addons/dashboard/dashboard.yaml)
7-200的机器上/data/k8s-yaml/目录下创建dashboard目录
rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
dp.yaml
kind: Deployment # 指定pod控制器类型
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system # 放到了kube-system的命名空间里
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: harbor.od.com/public/dashboard:v1.8.3
resources: # 对容器启动的资源进行限制
limits:
cpu: 100m
memory: 300Mi
requests: # 容器起来要吃多少资源
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates # 自动生成证书的运行参数
volumeMounts:
- mountPath: /tmp
name: tmp-volume
livenessProbe: # 容器的存活性探针,判定k8s中是否正常启动
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard-admin
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
svc.yaml
kind: Service
apiVersion: v1
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
namespace: kube-system
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: kubernetes-dashboard
namespace: kube-system
spec:
rules:
- host: dashboard.od.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
- 资源配置清单apply
远程文件支持raw格式的文件
kubectl apply -f http://k8s-yaml.od.com/dashboard/rbac.yaml
kubectl apply -f http://k8s-yaml.od.com/dashboard/dp.yaml
kubectl apply -f http://k8s-yaml.od.com/dashboard/svc.yaml
kubectl apply -f http://k8s-yaml.od.com/dashboard/ingress.yaml
- 查看状态
kubectl get pods -n kube-system
kubectl get svc -n kube-system
kubectl get ingress -n kube-system
- 自建dns中7.11添加解析/var/named/od.com.zone
dashboard A 10.4.7.10
systemctl restart named(rndc去指定reload某一个域)
dig -t A dashboard.od.com +short
先skip跳过去,就进去了点点点的
7.dashboard插件中rbac原理详解
基于角色的访问控制,role base account controller
权限:读,写,更新,列出,监视
账户
- userAccount 用户账户(kubeconfig就是典型的用户账户的配置文件)
- serverAccount 服务账户(所有再k8s里面运行的pod,都必须有一个服务账户)
角色(账户获取权限的一个中间人)
- Role普通角色,仅对指定的名称空间有效
- ClusterRole集群角色,对集群整体有效
绑定角色的操作有2种
- RoleBinding
- ClusterRoleBinding
所有的pod都要有一个服务账户serviceAccount,如没有显式指定,就是default
default命名空间,里面的pod,
rbac原理解析,traefik
# 创建一个名为traefik-ingress-controller的服务账户,所在命名空间kube-system
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
# 创建一个名为traefik-ingress-controller的ClusterRole类型的用户角色,对services,endpoints,secrets等资源拥有get,list,watch等权限
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
# 创建一个名为traefik-ingress-controller的ClusterRoleBinding类型的角色绑定器,对traefik-ingress-controller的服务账户,授予ClusterRole角色
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
8.dashboard的鉴权
登录上来的人有什么权限
使用token
一个serviceAccount,会默认产生一个secret的资源
选中kube-system的namespace,选择secret,选择其中的kubernetes-dashboard-admin-token的令牌,粘贴进去,就可以sigin进去
9.手撕证书
7.200机器上,手撕openssl证书用于dashboard.od.com
# 创建私钥
[root@jdss7-200 certs]# (umask 077; openssl genrsa -out dashboard.od.com.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................................................................................+++
.......................+++
e is 65537 (0x10001)
# 证书签发的请求文件
[root@jdss7-200 certs]# openssl req -new -key dashboard.od.com.key -out dashboard.od.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=Beijing/O=OldboyEdu/OU=ops"
[root@jdss7-200 certs]#
# 签发证书,给10年有效期
[root@jdss7-200 certs]# openssl x509 -req -in dashboard.od.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.od.com.crt -days 3650
Signature ok
subject=/CN=dashboard.od.com/C=CN/ST=BJ/L=Beijing/O=OldboyEdu/OU=ops
Getting CA Private Key
# 查询
[root@jdss7-200 certs]# cfssl-certinfo -cert dashboard.od.com.crt
{
"subject": {
"common_name": "dashboard.od.com",
"country": "CN",
"organization": "OldboyEdu",
"organizational_unit": "ops",
"locality": "Beijing",
"province": "BJ",
"names": [
"dashboard.od.com",
"CN",
"BJ",
"Beijing",
"OldboyEdu",
"ops"
]
},
"issuer": {
"common_name": "OldboyEdu",
"country": "CN",
"organization": "od",
"organizational_unit": "ops",
"locality": "beijing",
"province": "beijing",
"names": [
"CN",
"beijing",
"beijing",
"od",
"ops",
"OldboyEdu"
]
},
"serial_number": "9806022335148236846",
"not_before": "2022-02-12T06:41:19Z",
"not_after": "2032-02-10T06:41:19Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDRTCCAi0CCQCIFf1b+g6gLjANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD\nTjEQMA4GA1UECBMHYmVpamluZzEQMA4GA1UEBxMHYmVpamluZzELMAkGA1UEChMC\nb2QxDDAKBgNVBAsTA29wczESMBAGA1UEAxMJT2xkYm95RWR1MB4XDTIyMDIxMjA2\nNDExOVoXDTMyMDIxMDA2NDExOVowaTEZMBcGA1UEAwwQZGFzaGJvYXJkLm9kLmNv\nbTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkJKMRAwDgYDVQQHDAdCZWlqaW5nMRIw\nEAYDVQQKDAlPbGRib3lFZHUxDDAKBgNVBAsMA29wczCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAK5aFdsXo9yi4ZFoMyEdP/D+UtRS65Ah8rwGy2hhzbL9\ncREbVkPbN3rMpr1bhzLMlvSmBGGeBvQTfG7L5qQA+CrT73+Td3ILL3f9tBlSfjqr\nlXEIKGoUCYW5m0VI0IfouoHt5vOaQQ9utbXqbzJ+XEhmLwrDMzXjsLccnxcqqhGF\nm6Y6kGJ82ET0zczscRAHj0XXOOLLeczaHk96fAtHljlsSpRRjVlH2Yr/f/J1eB6H\nj3CFIW0Mt1HHxfHwMlFllUjxbbfB6EcdDEOi9WyKO5t5kS5jLyqvgMX29P/Zm6DJ\nhXbfI7bx/NRZpIFGh0Z67IDdOC2qVGKfeVpqrap9vykCAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAilS3GUq6C+UwAL9g044CpGuJDF7Nf7JcxwJrUlIz3MSY+hWhrDPg\nA3b3Rammr3TDP5IyKV21x/nmT5uuS6BXT7GX7K+LDuwy17f0wZbMTnlB+5K2QnPk\nZli1ce0fuGGUidE5xueNpghJK8vhW0D4M8tEMIII6XIrSzkyltog3afORsw295Cn\nvT9cqTJIDDIbfVPOQRCKtpN/Eul64Xj3DkmgLkzbe5Xswdr5GVeXGiCfjfeK0QfK\nSjCbfZ6fRzWwQJgwauRJx2dd7s6CWMECfaHsRrS5WuEnCX0S6v449n5GacQ/bZjR\n4xanc/jKSFHjxnPHVWXeD/Rq1X+3AmGD8Q==\n-----END CERTIFICATE-----\n"
}
10.将证书copy到nginx里
nginx机器7.11和7.12
nginx目录/etc/nginx/certs/
[root@jdss7-11 certs]# scp jdss7-200:/opt/certs/dashboard.od.com.crt .
The authenticity of host 'jdss7-200 (10.4.7.200)' can't be established.
ECDSA key fingerprint is SHA256:l8oqc2n+6O55OHNVcDf4PsBZB1+p7ngUq2m4WVTo+2I.
ECDSA key fingerprint is MD5:5e:a6:3e:5a:a1:3b:85:a7:54:b7:d5:8d:bb:50:25:a4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'jdss7-200,10.4.7.200' (ECDSA) to the list of known hosts.
root@jdss7-200's password:
dashboard.od.com.crt 100% 1196 1.4MB/s 00:00
[root@jdss7-11 certs]# scp jdss7-200:/opt/certs/dashboard.od.com.key .
root@jdss7-200's password:
dashboard.od.com.key 100% 1675 2.0MB/s 00:00
[root@jdss7-11 certs]#
切换nginx目录到/etc/nginx/conf.d/
创建nginx配置文件dashboard.od.com.conf
server {
listen 80;
server_name dashboard.od.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen 443 ssl;
server_name dashboard.od.com;
ssl_certificate "certs/dashboard.od.com.crt";
ssl_certificate_key "certs/dashboard.od.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarder-for $proxy_add_x_forwarded_for;
}
}
nginx -t;nginx -s reload
这是为了nginx端把ssl证书卸载掉,后端应用就不用管ssl了
11.查看certs证书
[root@jdss7-21 ~]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
coredns-token-wbl6x kubernetes.io/service-account-token 3 19d
default-token-8j4d6 kubernetes.io/service-account-token 3 53d
kubernetes-dashboard-admin-token-mv4mq kubernetes.io/service-account-token 3 112m
kubernetes-dashboard-certs Opaque 0 3h46m
kubernetes-dashboard-key-holder Opaque 2 3h17m
kubernetes-dashboard-token-mn7s2 kubernetes.io/service-account-token 3 3h46m
traefik-ingress-controller-token-g7944 kubernetes.io/service-account-token 3 17d
[root@jdss7-21 ~]# kubectl describe secret kubernetes-dashboard-admin-token-mv4mq -n kube-system
Name: kubernetes-dashboard-admin-token-mv4mq
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard-admin
kubernetes.io/service-account.uid: 97998b95-827b-4954-bc0f-c0ea3fd6f2be
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1346 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1tdjRtcSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijk3OTk4Yjk1LTgyN2ItNDk1NC1iYzBmLWMwZWEzZmQ2ZjJiZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.i0CDXmcBAk9-bGUunNGrTfEaScNhNkAfHLk7SjLKPBKRkl1ti71zQSzXNoiuBQq-H1zgEOX_9SJf_7SbSQ1v-dsSkSD2h7hldPdCPpndhsez3k5HrdcwNEOHRfgpnPR16HHX45BOty3tXNMQO1Ksnb2r2ePDwqI0PN0jjnPrk8zAhtxs64-BlQeaQGq5j6jvXHBnRMsO1KwP63BSqcccE5gnBNtywjOL3RLqfFq1gMBxEMJWNau2hJ0bD9j3zWtiT3OYT6G6xU7p-Kl-FPSpm6v_aIEinJxuDUir1exMn1sCflFcD9UrFAlJ-9IKVhBLSw26IQyUBmcDdYn7Puigag
[root@jdss7-21 ~]#
然后控制端signIn,使用token模式,粘贴如上token就可以登录了
12.heapster,dashboard的小插件
实现了k8s的一个测量的接口
地位比较尴尬。不作为强制掌握的知识,知道干嘛就行了
heapster:1.5.4版本
13.K8S集群的平滑升级+计算节点添加删除
流量低谷做
申请停机维护窗口
kubectl get pods -n kube-system -o wide
kube-schedule 帮你做平衡的
1.升级7.21机器
- kubectl delete node jdss7-21.host.com
计算节点删除后,之前在这个计算节点上运行的pod,会被自动迁移到另外的计算节点上 - 验证7-21机器上的coreDns是否还可用
dig -t A kubenetes.default.svc.cluster.local @192.168.0.2 +short
-
7-11机器nginx的nginx.conf及od.com.conf中的upstream的7.21的注释掉
nginx -s reload -
7-21机器上准备1.15.4的版本包tar
tar xf kubernetes-server-linux-amd64-v1.15.4.tar.gz -C /opt/123/
cd /opt/123/
mv kubernetes kubernetes-v1.15.4
mv kubernetes-v1.15.4 /opt/
cd /opt/kubernetes-v1.15.4
cd bin
/bin/rm *.tar
/bin/rm *_tag
mkdir -p conf # 将之前v1.15.2的目录conf的东西copy过来
mkdir -p cert # 将之前v1.15.2目录的cert的东西copy过来
# 将之前v1.15.2的bin目录下的*.sh文件copy过来
cd /opt/
将软连接kubernetes由kubernetes-v1.15.2目录切换至kubernetes-v1.15.4目录
ln -s kubernetes-v1.15.4 kubernetes
supervisorctl restart all # 重启supervisor
supervisorctl get nodes
14.k8s中的dashboard服务提供哦完整的http业务具体流程
小人输入http://dashboard.od.com
1.dns解析域名dashboard.od.com,解析到了vip地址10.4.7.10
2.10.4.7.10的vip是落到了10.4.7.11的机器上
3.进入了10.4.7.11的七层负载nginx上
4.nginx看到了你请求的域名是dashboard.od.com,匹配到了子定义的配置文件dashboard.od.com.conf
5.因为不是https,走的是http,所以走到了rewrite规则,帮你rewrite到443端口上
6.nginx匹配443端口的server块,帮你卸载掉ssl证书,帮你把请求转发到了ingress上
7.ingress是监听到了每台运算节点宿主机上的81端口(ingress是通过k8s交付traefik实现的,里面暴露了hostPort是81端口)
8.ingress控制器根据配置的ingress资源,找到host为dashboard.od.com对应的路径的根,发现转发请求到了名为kubernetes-dashboard的service上
9.名为kubernetes-dashboard的service(dashboard)
10.kubelet帮你把service和pod网络连接起来,service通过label selector找到了pod
11.kube-proxy的轮训算法ipvs(7.21机器上ipvsadm -Ln)将集群网络轮训方式将请求转发到了pod网络
12.因为装了cni网络插件,pod网络可以跨宿主机通信
15.k8s交付dubbo微服务
- dubbo微服务
透明化的方法调用,像调用本地方法一样,调用远程服务
Provider:暴露服务的服务提供方
Consumer:调用远程服务的服务消费方
Registry:服务的注册于发现的注册中心
Monitor:统计服务的调用次和调用时间的监控中心
Container:服务运行的容器(载体)
交付registry,provider,monitor,consumer
jenkins,dubbo-monitor,consumer,provider都交付到k8s集群里
(1)动态扩容的服务放到k8s集群里
(2)开发把代码提交到gitlab上,运维来持续集成(使用工具jenkins从gitlab上拉代码,编译代码,打包镜像,推送到harbor仓库,7-200的运维主机生成资源配置清单,k8s集群apply,就变成pod了)
注意:
把zk放到k8s集群外面,zk是典型的有状态的服务
etcd,zk,mysql,es都是属于有状态的服务,自己基础设施状态更稳定,zk注册中心不能乱动
随便扩,随便漂的才是无状态的服务
stayForSet用于管理有状态的pod,是pod控制器。
16.部署zk集群(放到k8s集群外)
zk是java编写的,依赖jdk
| 主机 | 角色 | ip |
|---|---|---|
| JDSS7-11.host.com | zk1 | 10.4.7.11 |
| JDSS7-12.host.com | zk2 | 10.4.7.12 |
| JDSS7-21.host.com | zk3 | 10.4.7.21 |
安装jdk
10.4.7.11,10.4.7.12,10.4.7.21三台机器上都操作
cd /opt/
mkdir -p src;mkdir -p /usr/java/
wget http://10.4.7.20/jdk/jdk-8u221-linux-x64.tar.gz
tar xf jdk-8u221-linux-x64.tar.gz -C /usr/java/
ll /usr/java/
cd /usr/
ln -s /usr/java/jdk1.8.0_221/ /usr/java/jdk
# 添加环境变量
vim /etc/profile
export JAVA_HOME=/usr/java/jdk
export PATH=$JAVA_HOME/bin:$JAVA_HOME/bin:$PATH
export CLASSPATH=$CLASSPATH:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar
source /etc/profile
安装zookeeper3.4.14版本
10.4.7.11,10.4.7.12,10.4.7.21三台机器上都操作
cd /opt/src
wget http://10.4.7.20/zookeeper/zookeeper-3.4.14.tar.gz
tar zxf zookeeper-3.4.14.tar.gz -C /opt/
cd /opt/
ln -s /opt/zookeeper-3.4.14 /opt/zookeeper
mkdir -pv /data/zookeeper/data /data/zookeeper/logs
# 配置zookeeper配置文件/opt/zookeeper/conf/zoo.cfg
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/data/zookeeper/data
dataLogDir=/data/zookeeper/logs
clientPort=2181
server.1=zk1.od.com:2888:3888
server.2=zk2.od.com:2888:3888
server.3=zk3.od.com:2888:3888
7.11机器上把解析做了
vim /var/named/od.com.zone
序列号滚动一个
zk1 A 10.4.7.11
zk2 A 10.4.7.12
zk3 A 10.4.7.21
重启named
myid配置
7-11机器
/data/zookeeper/data/myid 内容为1
7-12机器
/data/zookeeper/data/myid 内容为2
7-21机器
/data/zookeeper/data/myid 内容为3
启动zk
7-11,7-12,7-21这3台机器上启动zk
/opt/zookeeper/bin/zkServer.sh start
查看zk的状态
/opt/zookeeper/bin/zkServer.sh status
17.jenkins部署到k8s集群里(比较艰难的)
jenkins是用docker来跑
17.1 准备jenkins的镜像
运维主机7-200上
docker pull jenkins/jenkins:2.190.3
docker images | grep jenkins
docker tag 22b8b9a84dbe harbor.od.com/public/jenkins:v2.190.3
docker push harbor.od.com/public/jenkins:v2.190.3
说明:官方的jenkins镜像不能直接使用,要做一定的配置,才能在生产中投入使用
17.2二次改动镜像
自定义Dockerfile,运维主机上
/data/dockerfile/jenkins/Dockerfile
版本1,依赖get-docker.sh脚本,比较麻烦
FROM harbor.od.com/public/jenkins:v2.190.3
USER root
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\
echo 'Asia/Shanghai' > /etc/timezone
ADD id_rsa /root/.ssh/id_rsa
ADD config.json /root/.docker/config.json
ADD get-docker.sh /get-docker.sh
RUN echo " StrictHostKeyChecking no" >> /etc/ssh/ssh_config &&\
/get-docker.sh
版本2,安装docker-ce
FROM harbor.od.com/public/jenkins:v2.190.3
USER root
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&\
echo 'Asia/Shanghai' > /etc/timezone
ADD id_rsa /root/.ssh/id_rsa
ADD config.json /root/.docker/config.json
ADD get-docker.sh /get-docker.sh
RUN apt-get update && apt-get install -y apt-transport-https
ADD docker.list /etc/apt/sources.list.d/docker.list
RUN wget https://mirrors.aliyun.com/docker-ce/linux/debian/gpg -o /tmp/gpg && apt-key add /tmp/gpg &>/dev/null && apt-get update
RUN echo " StrictHostKeyChecking no" >> /etc/ssh/ssh_config && apt-get install -y docker-ce --allow-unauthenticated
docker.list
# 官方源(debian 9)
#deb https://download.docker.com/linux/debian stretch stable
# 阿里源(debian 9)
deb https://mirrors.aliyun.com/docker-ce/linux/debian stretch stable
# 中科大(debian 10)
#deb http://mirrors.ustc.edu.cn/docker-ce/linux/debian/ buster stable
dockerfile里我们主要做了几件事
- 设置容器用户为root(启动docker时用root账户启动,官方底包不是root用户)
- 设置容器内的时区为东八区
- 将ssh私钥加入(使用git拉代码时要用到,配对的公钥应配置到gitlab中)(cp /root/ssh/id_rsa /data/dockerfile/jenkins/)
- 加入了登录自建harbor仓库的config文件,用于推送镜像到harbor仓库中去(cp /root/.docker/config.json /data/dockerfile/jenkins/)
- 优化了ssh客户端的配置(是否输入yes/no)
- 安装了一个docker的客户端,在jenkins容器里装,jenkins里要执行docker build命令,变成docker镜像,依赖宿主机的docker 引擎,只是装一个客户端,用于与宿主机的docker引擎进行通信(curl -fsSL get.docker.com -o /data/dockerfile/jenkins/get-docker.sh,大概476行,给执行权限)
(docker是一个c/s架构的程序,docker命令本身其实只是一个docker的客户端)
制作ssh秘钥
7-200机器上
ssh-keygen -t rsa -b 2048 -C "405186254@qq.com" -N "" -f /root/.ssh/id_rsa
私钥封装到jenkins的镜像里,公钥拷给我,我给加到gitlab仓库里(gitee.com)
然后/root/ssh/里面就有id_rsa.pub公钥文件
config.json
里面包含了登录远程的认证信息
17.3 制作新的jenkins镜像
在harbor.od.com的register Center新建一个私有仓库infra,不是public权限
cd /data/dockerfile/jenkins/
docker build . -t harbor.od.com/infra/jenkins:v2.190.3
docker push harbor.od.com/infra/jenkins:v2.190.3
17.4 本地运行一下jenkins测试一下
docker run --rm harbor.od.com/infra/jenkins:v2.190.3 ssh -i /root/.ssh/id_rsa -T git@gitee.com
17.5 创建k8s的命名空间infra,用于单独存放运维相关的服务
任意运算节点执行
kubectl create ns infra
jenkins镜像交付到infra空间,需要从harbor的私有仓库去拉取镜像,光login就不够了
17.6 为infra的名称空间创建一个secret资源,用于访问harbor私有仓库的私有镜像
kubectl create secret docker-registry harbor --docker-server=harbor.od.com --docker-username=admin --docker-password=Harbor12345 -n infra
secret资源分为3种类型,一种是docker-registry,一种是general,一种是tls(ingress指定secret去卸载ssl证书的时候使用)
17.7 准备共享存储
k8s里面的pod资源如何共享数据的
jenkins是需要持久化一些数据的,位置是/var/lib/jenkins_home/
jenkins的服务可以来回down,漂可以没问题,但是不能新加。数据时落到共享存储上
共享存储时在运维主机上搭,然后运算节点上挂这个思路,但是都依赖nfs-utils这个rpm包
yum install nfs-utils -y
运维主机7-200作为共享存储的服务端
所有的pod要去挂这个共享存储
共享存储服务端7-200
vim /etc/exports
/data/nfs-volume 10.4.7.0/24(rw,no_root_squash)
mkdir -p /data/nfs-volume
# no_root_squash 代表非root权限的所有用户权限压缩
mkdir -p /data/nfs-volume/jenkins_home
systemctl start nfs
systemctl enable nfs
17.8 使用共享存储
在jenkins的资源配置清单里定义
7-200机器上
cd /data/k8s-yaml/
mkdir -p jenkins
cd jenkins
jenkins是B/S的程序,用浏览器打开页面,资源配置清单里需要Deployment,Service,Ingress3种
17.9 jenkins依赖的资源配置清单
deployment.yaml
kind: Deployment # deployment(按照设置来),daemonset(每个计算节点各来一份)
apiVersion: extensions/v1beta1
metadata:
name: jenkins
namespace: infra
labels:
name: jenkins
spec:
replicas: 1 # 只起一份
selector:
matchLabels:
name: jenkins
template: # pod的模板
metadata:
labels:
app: jenkins
name: jenkins
spec:
volumes:
- name: data
nfs: # 使用nfs类型的卷
server: jdss7-200
path: /data/nfs-volume/jenkins_home
- name: docker
hostPath: # 挂载类型,是宿主机本机,把docker server的socket给挂进来了,这样jenkis里面的docker客户端就可以和他对应宿主机的服务端进行通信了
path: /run/docker.sock
type: ''
containers:
- name: jenkins
image: harbor.od.com/infra/jenkins:v2.190.3
imagePullPolicy: IfNotPresent # 镜像拉取的策略,默认3种(ALL WITH是不论本地是否有,都去远程拉取,Never 无论如何都不去远程拉,只使用本地,IfNotPresent如果本地没有就去远程仓库拉)
ports:
- containerPort: 8080
protocol: TCP
env:
- name: JVA_OPTS
value: -Xmx512m -Xms512m
volumeMounts: # 决定了挂载到哪
- name: data
mountPath: /var/jenkins_home
- name: docker
mountPath: /run/docker.sock
imagePullSecrets: # k8s拉取私有仓库的镜像,必须加这个secret,否则拉取不到
- name: harbor
securityContext:
runAsUser: 0 # 按root来启动jenkins
strategy:
type: RollingUpdate # 滚动升级的方法升级jenkins
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
revisionHistoryLimit: 7 # 留7份供我们回滚使用
progressDeadlineSeconds: 600 # 容器运行多长时间没起来就判定失败600秒
svc.yaml
kind: Service
apiVersion: v1
metadata:
name: jenkins
namespace: infra
spec:
ports:
- protocol: TCP
port: 80 # 是监听在clusterIp上的port
targetPort: 8080 # 容器里面跑的端口
selector:
app: jenkins
ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: jenkins
namespace: infra
spec:
rules:
- host: jenkins.od.com
http:
paths:
- path: /
backend:
serviceName: jenkins
servicePort: 80
17.10 应用资源配置清单
kubectl apply -f http://k8s-yaml.od.com/jenkins/dp.yaml
kubectl apply -f http://k8s-yaml.od.com/jenkins/svc.yaml
kubectl apply -f http://k8s-yaml.od.com/jenkins/ingress.yaml
kubectl get all -n infra
共享存储里面已经有东西了
7-200的机器上/data/nfs-volume/jenkins_home
17.11 域名解析
7-11的dns服务器上对jenkins.od.com做解析,解析到10.4.7.10的vip上
17.12 jenkins的admin password在哪
7-200的机器上/data/nfs-volume/jenkins_home/secrets/initialAdminPassword
用户名admin,密码admin123
17.13 配置jenkins的插件
-
设置jenkins的安全配置
Manage jenkins -》 configure global security
配置匿名用户可以使用
跨域请求支持
-
装插件(可以给jenkins配置国内镜像源)
manage plugins
安装名为blueocean的流水线插件
选择dowland now and install after restart
17.14 配置jenkins的流水线(pipeline)
参数化构建。就能适配dubbo的服务提供者和消费者
- new item
