准备镜像
k8s集群每个node节点需要下载镜像:
docker pull mariadb:10.5.2
安装mariaDB
部署service
maria/mariadb.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mariadb
labels:
app: mariadb
spec:
replicas: 1
template:
metadata:
name: mariadb
labels:
app: mariadb
spec:
containers:
- name: mariadb
image: mariadb:10.5.2
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
value: admin
- name: TZ
value: Asia/Shanghai
args:
- "--character-set-server=utf8mb4"
- "--collation-server=utf8mb4_unicode_ci"
ports:
- containerPort: 3306
restartPolicy: Always
selector:
matchLabels:
app: mariadb
---
apiVersion: v1
kind: Service
metadata:
name: mariadb-svc
spec:
selector:
app: mariadb
ports:
- port: 3306
targetPort: 3306
nodePort: 30036
type: NodePort
运行服务
kubectl apply -f .
kubectl get pod -o wide
客户端测试
IP:192.168.198.157
username:root
password:admin
prot: 30036
删除service
kubectl delete -f mariadb.yml
secret
Secret 解决了密码、token、密钥等敏感数据的配置问题,而不需要把这些敏感数据暴露到镜像或者 Pod Spec中。Secret 可以以 Volume 或者环境变量的方式使用 。
Secret 有三种类型:
1)Service Account :用来访问 Kubernetes API,由 Kubernetes 自动创建,并且会自动挂载到Pod的
2)/run/secrets/kubernetes.io/serviceaccount 目录中。
3)Opaque :base64编码格式的Secret,用来存储密码、密钥等
4)kubernetes.io/dockerconfigjson :用来存储私有 docker registry 的认证信息
Service Account
Service Account简称sa, Service Account 用来访问 Kubernetes API,由 Kubernetes自动创建,并且会自动挂载到Pod的/run/secrets/kubernetes.io/serviceaccount 目录中。
查询命名空间为kube-system的pod信息
kubectl get pod -n kube-system
进入pod:kube-proxy-48bz4
kubectl exec -it kube-proxy-48bz4 -n kube-system sh
cd /run/secrets/kubernetes.io/serviceaccount
ls
cat ca.crt
cat namespace
cat token
Opaque Secret
Opaque类型的数据是一个 map类型,要求value是base64编码格式。
加密、解密
使用命令行方式对需要加密的字符串进行加密。例如:mysql数据库的密码。
对admin字符串进行base64加密:获得admin的加密字符串"YWRtaW4="
echo -n "admin" | base64
base64解密:对加密后的字符串进行解密
echo -n "YWRtaW4=" | base64 -d
资源文件方式创建
对mariadb数据库密码进行加密
apiVersion: v1
kind: Secret
metadata:
name: mariadbsecret
type: Opaque
data:
password: YWRtaW4=
#mariadb的用户名root加密,用于演示,无实际效果
username: cm9vdA==
升级mariadb的service
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mariadbsecret
- name: TZ
value: Asia/Shanghai
全部资源文件清单
secret/mariadbsecret.yml
apiVersion: v1
kind: Secret
metadata:
name: mariadbsecret
type: Opaque
data:
password: YWRtaW4=
#mariadb的用户名root加密,用于演示,无实际效果
username: cm9vdA==
secret/mariadb.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mariadb
labels:
app: mariadb
spec:
replicas: 1
template:
metadata:
name: mariadb
labels:
app: mariadb
spec:
containers:
- name: mariadb
image: mariadb:10.5.2
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mariadbsecret
- name: TZ
value: Asia/Shanghai
args:
- "--character-set-server=utf8mb4"
- "--collation-server=utf8mb4_unicode_ci"
ports:
- containerPort: 3306
restartPolicy: Always
selector:
matchLabels:
app: mariadb
---
apiVersion: v1
kind: Service
metadata:
name: mariadb-svc
spec:
selector:
app: mariadb
ports:
- port: 3306
targetPort: 3306
nodePort: 30036
type: NodePort
运行service
kubectl apply -f .
kubectl get secret
kubectl get svc
客户端测试
IP:192.168.198.157
username:root
password:admin
prot: 30036
删除service、secret
kubectl delete -f .
kubectl get secret
kubectl get svc
安装harbor私服
harbor官网地址:
harbor官网地址:
https://goharbor.io/
github官网地址:
https://github.com/goharbor/harbor
docker-compose
验证docker-compose
docker-compose -v
安装harbor
1.解压软件
cd /data
tar zxf harbor-offline-installer-v1.9.4.tgz
2.进入安装目录
cd harbor
3.修改配置文件
vi harbor.yml
3.1修改私服镜像地址
hostname: 192.168.198.155
3.2修改镜像地址访问端口号
port: 5000
3.3harbor管理员登录系统密码
harbor_admin_password: Harbor12345
3.4修改harbor映射卷目录
data_volume: /data/harbor
4.安装harbor
4.1执行启动脚本,经过下述3个步骤后,成功安装harbor私服 ./install.sh
4.2准备安装环境:检查docker版本和docker-compose版本
4.3加载harbor需要的镜像
4.4准备编译环境
4.5启动harbor。通过docker-compose方式启动服务
4.6google浏览器访问harbor私服
http://192.168.198.155:5000
username: admin
password: Harbor12345
新建项目
在harbor中新建公共项目:
laogouedu
配置私服
k8s集群master节点配置docker私服:master节点用于上传镜像。其余工作节点暂时不要配置私服地址。
vi /etc/docker/daemon.json
"insecure-registries":["192.168.198.155:5000"]
重启docker服务:
systemctl daemon-reload
systemctl restart docker
登录私服
docker login -u admin -p Harbor12345 192.168.198.155:5000
退出私服
docker logout 192.168.198.155:5000
上传mariadb镜像
docker tag mariadb:10.5.2 192.168.198.155:5000/lagouedu/mariadb:10.5.2
docker push 192.168.198.155:5000/lagouedu/mariadb:10.5.2
docker rmi -f 192.168.198.155:5000/lagouedu/mariadb:10.5.2
修改mariadb镜像地址
修改secret/mariadb.yml文件,将image地址修改为harbor私服地址
image: 192.168.198.155:5000/lagouedu/mariadb:10.5.2
运行服务
kubectl apply -f .
查看pod信息:发现镜像拉取失败,STATUS显示信息为"ImagePullBackOff"
kubectl get pods
查看pod详细信息:拉取harbor私服镜像失败。
kubectl describe pod mariadb-7b6f895b5b-mc5xp
删除服务:
kubectl delete -f .
注册私服
使用Kuberctl创建docker registry认证的secret
语法规则:
kubectl create secret docker-registry myregistrykey --docker-
server=REGISTRY_SERVER --docker-username=DOCKER_USER --docker-
password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
例子:
kubectl create secret docker-registry lagouharbor --docker- server=192.168.198.155:5000 --docker-username=admin --docker-
password=Harbor12345 --docker-email=harbor@lagou.com
k8s集群其余工作节点配置docker私服地址:
vi /etc/docker/daemon.json
"insecure-registries":["192.168.198.155:5000"]
重启docker服务:
systemctl daemon-reload
systemctl restart docker
secret升级mariadb
将mariadb镜像修改为harbor私服地址。 在创建 Pod 的时候,通过 imagePullSecrets 来引用刚创建的myregistrykey
spec:
imagePullSecrets:
- name: lagouharbor
containers:
- name: mariadb image: 192.168.198.155:5000/lagouedu/mariadb:10.5.2
全部资源文件清单
mariadbsecret.yml
apiVersion: v1
kind: Secret
metadata:
name: mariadbsecret
type: Opaque
data:
password: YWRtaW4=
#mariadb的用户名root加密,用于演示,无实际效果
username: cm9vdA==
mariadb.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mariadb
labels:
app: mariadb
spec:
replicas: 1
template:
metadata:
name: mariadb
labels:
app: mariadb
spec:
imagePullSecrets:
- name: lagouharbor
containers:
- name: mariadb
image: 192.168.198.155:5000/lagouedu/mariadb:10.5.2
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mariadbsecret
- name: TZ
value: Asia/Shanghai
args:
- "--character-set-server=utf8mb4"
- "--collation-server=utf8mb4_unicode_ci"
ports:
- containerPort: 3306
restartPolicy: Always
selector:
matchLabels:
app: mariadb
---
apiVersion: v1
kind: Service
metadata:
name: mariadb-svc
spec:
selector:
app: mariadb
ports:
- port: 3306
targetPort: 3306
nodePort: 30036
type: NodePort
客户端测试
IP:192.168.198.157
username:root
password:admin
prot: 30036
网友评论