- 创建角色授权
cat <<END>rbacj.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-sa
namespace: devops
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: jenkins-cr
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: jenkins-crd
roleRef:
kind: ClusterRole
name: jenkins-cr
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: jenkins-sa
namespace: devops
END
- yaml 本次使用的是动态PV
cat <<END>jenkins.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: test-jenkins
name: test-jenkins
namespace: devops
spec:
replicas: 1
selector:
matchLabels:
k8s-app: test-jenkins
template:
metadata:
labels:
k8s-app: test-jenkins
name: test-jenkins
spec:
containers:
- name: test-jenkins
image: jenkins/jenkins:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: web
protocol: TCP
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 500m
memory: 512Mi
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- mountPath: /data/jenkins #自定义家目录
name: test-jenkins-home
env:
- name: JENKINS_HOME
value: /data/jenkins #自定义家目录
- name: JENKINS_OPTS
value: --httpPort=8080
- name: JENKINS_SLAVE_AGENT_PORT
value: "8081" #salve使用的监听端口
volumes:
- name: test-jenkins-home
persistentVolumeClaim:
claimName: jenkins
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: test-jenkins
name: test-jenkins
namespace: devops
spec:
type: NodePort
ports:
- name: web
port: 8080
targetPort: 8080
#nodePort: 31280
- name: slave
port: 8081
targetPort: 8081
#nodePort: 31281
selector:
k8s-app: test-jenkins
END
由于Jenkins使用的是普通用户运行在pv卷无法创建目录所以需要提权root用户运行
securityContext:
privileged: true
runAsUser: 0
国内源
https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json
超级用户
kubectl create clusterrolebinding permissive-binding \
--clusterrole=cluster-admin \
--user=admin \
--user=kubelet \
--group=system:serviceaccounts
以下官网helm安装的Jenkins
helm repo add jenkinsci https://charts.jenkins.io
helm repo update
helm search repo jenkinsci
NAME CHART VERSION APP VERSION DESCRIPTION
jenkinsci/jenkins 3.12.2 2.332.3 Jenkins - Build great things at any scale! The ...
创建一个名为 jenkins-pv 的卷:
wget https://raw.githubusercontent.com/installing-jenkins-on-kubernetes/jenkins-volume.yaml
$ kubectl apply -f jenkins-volume.yaml
官网链接
https://www.jenkins.io/doc/book/installing/kubernetes/#customizing-jenkins-with-plugins