通常情况下,在私有云环境中使用kubernetes时,我们要从docker registry拉取镜像的时候,都会给docker
daemo配置–insecure-registry属性来告诉docker daemo我们所使用的docker
registry是可信的,这样才能从私有的docker
registry中拉取镜像,但是如果要使用Harbor作为kubernetes的镜像仓库的话,这种方式就不适用了,下面让我们看看如何来使用Harbor作为kubernetes的镜像仓库。

整体架构

mark

1: 通过kubectl 命令工具 发起 资源创建kubectl create -f [资源文件名].yaml
2 :k8s 处理相关请求后 kube-scheduler 服务 为pod 寻找一个合适的 “家” node2 并创建pod。
3 :node2 上的kubelet 处理相关资源,使用docker 拉取 相关镜像 并run 。
注意: 这里只说明了整个流程的工作流转情况,请勿深究!

一:下载docker

'//安装环境'
[root@harbor ~]# yum -y install yum-utils device-mapper-persistent-data lvm2

'//设置阿里源镜像'
[root@harbor ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

'//安装docker CE'
[root@harbor ~]# yum -y install docker-ce


'//设置防火墙'
[root@harbor ~]# iptables -F
[root@harbor ~]# setenforce 0

'//进行镜像加速'
[root@localhost ~]# cd /etc/docker/     '//切换到加速目录'
[root@localhost docker]# ls
key.json

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://rsezwjwx.mirror.aliyuncs.com"]
}
EOF
#使系统重新加载
[root@localhost docker]# systemctl daemon-reload

'//网络优化'
#开启路由转发
[root@localhost docker]# vim /etc/sysctl.conf 
'//编写'
net.ipv4.ip_forward=1

#使命令生效
[root@localhost docker]# sysctl -p
[root@localhost docker]# service network restart 
Restarting network (via systemctl):                        [  确定  ]
[root@localhost docker]# systemctl restart docker.service 

二:下载docker Compose

'//把compose包复制到家目录,在增加执行权限'
[root@harbor ~]# chmod +x docker-compose 

#移动到usr/local/bin目录,系统识别后,可直接使用docker-compose命令
[root@harbor ~]# mv docker-compose /usr/local/bin

#docke版本-compose
[root@harbor ~]# docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3

三:安装Harbor

[root@harbor ~]# http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz

'//这边本地已经有了,直接复制到/usr/local'
[root@harbor ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/

'//解压缩之后,目录下回生成harbor.conf文件,该文件就是Harbor的配置文件'
[root@harbor ~]# vim /usr/local/harbor/harbor.cfg 

## Configuration file of Harbor

#hostname设置访问地址,可以使用IP、域名,不可以设置为127.0.0.1或者localhost 这边改为本地地址

hostname = 20.0.0.45

'//harbor.yuml文件修改完成后,运行install.sh文件'
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# sh install.sh 

3.1:登录Harbor私有仓库

mark

3.2:node节点配置连接私有仓库

'//修改daemon-json文件'
[root@node1 ~]# vim /etc/docker/daemon.json

{
  "registry-mirrors": ["https://rsezwjwx.mirror.aliyuncs.com"],  '//注意后面逗号'
  "insecure-registries": ["20.0.0.45"]
}

'//重载服务'
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker

3.3:登录Harbor私库

[root@node1 ~]# docker login 20.0.0.45
Username: admin    '//用户admin'
Password:          '//密码Harbor12345'
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

3.4:下载Tomcat镜像进行推送

'//这边是公有仓库下载的'
[root@node1 ~]# docker pull tomcat

'//查看镜像'
[root@node1 ~]# docker images
REPOSITORY                                                        TAG                 IMAGE ID            CREATED
nginx                                                             latest              992e3b7be046        7 days 
tomcat                                                            latest              f796d3d2c195        3 weeks
siriuszg/kubernetes-dashboard-amd64                               v1.8.3              784cf2722f44        2 years
registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64   3.0                 99e59f495ffa        4 year
3.41:推送镜像到私库

mark

'//推送格式'
 docker tag SOURCE_IMAGE[:TAG] 20.0.0.45/library/IMAGE[:TAG]
 
 '//打标签'
[root@node1 ~]# docker tag tomcat 20.0.0.45/library/tomcat

'//推送镜像'
[root@node1 ~]# docker push 20.0.0.45/library/tomcat
3.42:在harbor仓库中可查到上传的镜像

mark

  • 从私库下载镜像
[root@node1 ~]# docker pull 20.0.0.45/library/tomcat
//进行进项下载问题就会出现,需要登录才能下载
//问题点:缺少仓库的凭据
  • node节点下载tomcat镜像
[root@node1 ~]# docker pull tomcat:8.0.52
8.0.52: Pulling from library/tomcat
Digest: sha256:32d451f50c0f9e46011091adb3a726e24512002df66aaeecc3c3fd4ba6981bd4
Status: Image is up to date for tomcat:8.0.52
docker.io/library/tomcat:8.0.52

3.43:master节点创建一个yuml文件

[root@master ~]# vim tomcat-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: my-tomcat
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: my-tomcat
    spec:
      containers:
      - name: my-tomcat
        image: docker.io/tomcat:8.0.52
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: my-tomcat
spec:
  type: NodePort
  ports:
  - port: 8080
    targetPort: 8080
    nodePort: 31111
  selector:
    app: my-tomcat

3.44:创建tomcat服务,并访问tomcat主页

[root@master ~]# kubectl create -f tomcat-deployment.yaml

'//查看pod资源'
[root@master ~]# kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
my-tomcat-57667b9d9-lcwbd         1/1     Running   0          7m44s
my-tomcat-57667b9d9-qw4jp         1/1     Running   0          7m44s

'//查看pod在哪个节点'
[root@master ~]# kubectl get pods -o wide
NAME                              READY   STATUS    RESTARTS   AGE   IP            NODE        NOMINATED NODE
my-tomcat-57667b9d9-lcwbd         1/1     Running   0          11m   172.17.93.4   20.0.0.42   <none>
my-tomcat-57667b9d9-qw4jp         1/1     Running   0          11m   172.17.5.5    20.0.0.43   <none>

'查看服务暴露端口'
[root@master ~]# kubectl get svc
my-tomcat       NodePort    10.0.0.141   <none>        8080:31111/TCP   13m
  • 进行访问测试

mark

  • 在node节点操作上传镜像到私库
'//镜像进行打标签'
[root@node1 ~]# docker tag tomcat:8.0.52 20.0.0.45/library/tomcat8

'//上传镜像到harbor'
[root@node1 ~]# docker push 20.0.0.45/library/tomcat8

mark

3.5:查看登录凭证

'//base:64:64位解码 -w 0不换行输出,如果下载镜像有问题就查看一下登录凭证'
[root@node1 ~]# cat .docker/config.json |base64 -w 0
ewoJImF1dGhzIjogewoJCSIyMC4wLjAuNDUiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuMTMgKGxpbnV4KSIKCX0KfQ==

3.6:在master创建一个安全登录harbor的资源

'//复制凭证到yaml里'
[root@master ~]# vim registry-pull-secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: registry-pull-secret
data:
  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIyMC4wLjAuNDUiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuMTMgKGxpbnV4KSIKCX0KfQ==
type: kubernetes.io/dockerconfigjson

mark

3.61:创建凭证资源
[root@master ~]# kubectl create -f registry-pull-secret.yaml

'//查看secret资源'
[root@master ~]# kubectl get secret
NAME                   TYPE                                  DATA   AGE
default-token-cfdcs    kubernetes.io/service-account-token   3      13d
registry-pull-secret   kubernetes.io/dockerconfigjson        1      62s
  • 验证时为了保证环境,首先删除本地的tomcat镜像
[root@master ~]# kubectl delete -f tomcat-deployment.yaml 
  • 修改原有的tomcat.yaml
[root@master ~]# vim tomcat-deployment.yaml 

spec:
      imagePullSecrets:
      - name: registry-pull-secret    #这个镜像拉取安全凭据名称要与get的一致
      containers:
      - name: my-tomcat
        image: 20.0.0.45/library/tomcat8
        ports:
        - containerPort: 80
  
 '//下载资源' 
[root@master ~]# kubectl create -f tomcat-deployment.yaml

3.62:登录查看

  • 私有仓库的镜像被下载了2次

mark

  • 再次删除测试
[root@master ~]# kubectl delete -f tomcat-deployment.yaml 
deployment.extensions "my-tomcat" deleted
service "my-tomcat" deleted

'//创建资源'
[root@master ~]# kubectl create -f tomcat-deployment.yaml 
deployment.extensions/my-tomcat created
service/my-tomcat created

'//查看端口暴露'
[root@master ~]# kubectl get svc
NAME            TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)          AGE
kubernetes      ClusterIP   10.0.0.1     <none>        443/TCP          44h
my-tomcat       NodePort    10.0.0.141   <none>        8080:31111/TCP   31s
nginx-service   NodePort    10.0.0.75    <none>        80:31558/TCP     43h
  • 下载次数已经为4次

mark

3.7:如果遇到处于Terminating状态的无法删除的容器可以强制删除

[root@master ~]# kubectl get pods
NAME                              READY   STATUS        RESTARTS   AGE

my-nginx-57667b9d9-nklvj         1/1     Terminating   0          10h

my-nginx-57667b9d9-wllnp         1/1     Terminating   0          10h

'//这种情况下可以使用强制删除命令'
[root@master ~]# kubectl delete pod my-nginx-57667b9d9-nklvj  --force --grace-period=0 -n default

'//使用kubectl get ns,查看命名空间'
[root@master test]# kubectl get ns
NAME          STATUS   AGE
default       Active   12d
kube-public   Active   12d
kube-system   Active   12d

到此 k8s 获取私服镜像完成!

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐