k8s+harbor私有仓库部署你学会了吗?
k8s+harbor私有仓库部署他来了文章目录k8s+harbor私有仓库部署他来了一:下载docker二:下载docker Compose三:安装Harbor3.1:登录Harbor私有仓库3.2:node节点配置连接私有仓库3.3:登录Harbor私库3.4:下载Tomcat镜像进行推送3.41:推送镜像到私库3.42:在harbor仓库中可查到上传的镜像3.43:master节点创建一个yu
·
文章目录
通常情况下,在私有云环境中使用kubernetes时,我们要从docker registry拉取镜像的时候,都会给docker
daemo配置–insecure-registry属性来告诉docker daemo我们所使用的docker
registry是可信的,这样才能从私有的docker
registry中拉取镜像,但是如果要使用Harbor作为kubernetes的镜像仓库的话,这种方式就不适用了,下面让我们看看如何来使用Harbor作为kubernetes的镜像仓库。
整体架构
1: 通过kubectl 命令工具 发起 资源创建kubectl create -f [资源文件名].yaml
2 :k8s 处理相关请求后 kube-scheduler 服务 为pod 寻找一个合适的 “家” node2 并创建pod。
3 :node2 上的kubelet 处理相关资源,使用docker 拉取 相关镜像 并run 。
注意: 这里只说明了整个流程的工作流转情况,请勿深究!
一:下载docker
'//安装环境'
[root@harbor ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
'//设置阿里源镜像'
[root@harbor ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
'//安装docker CE'
[root@harbor ~]# yum -y install docker-ce
'//设置防火墙'
[root@harbor ~]# iptables -F
[root@harbor ~]# setenforce 0
'//进行镜像加速'
[root@localhost ~]# cd /etc/docker/ '//切换到加速目录'
[root@localhost docker]# ls
key.json
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://rsezwjwx.mirror.aliyuncs.com"]
}
EOF
#使系统重新加载
[root@localhost docker]# systemctl daemon-reload
'//网络优化'
#开启路由转发
[root@localhost docker]# vim /etc/sysctl.conf
'//编写'
net.ipv4.ip_forward=1
#使命令生效
[root@localhost docker]# sysctl -p
[root@localhost docker]# service network restart
Restarting network (via systemctl): [ 确定 ]
[root@localhost docker]# systemctl restart docker.service
二:下载docker Compose
'//把compose包复制到家目录,在增加执行权限'
[root@harbor ~]# chmod +x docker-compose
#移动到usr/local/bin目录,系统识别后,可直接使用docker-compose命令
[root@harbor ~]# mv docker-compose /usr/local/bin
#docke版本-compose
[root@harbor ~]# docker-compose -v
docker-compose version 1.21.1, build 5a3f1a3
三:安装Harbor
[root@harbor ~]# http:// harbor.orientsoft.cn/harbor-1.2.2/harbor-offline-installer-v1.2.2.tgz
'//这边本地已经有了,直接复制到/usr/local'
[root@harbor ~]# tar zxvf harbor-offline-installer-v1.2.2.tgz -C /usr/local/
'//解压缩之后,目录下回生成harbor.conf文件,该文件就是Harbor的配置文件'
[root@harbor ~]# vim /usr/local/harbor/harbor.cfg
## Configuration file of Harbor
#hostname设置访问地址,可以使用IP、域名,不可以设置为127.0.0.1或者localhost 这边改为本地地址
hostname = 20.0.0.45
'//harbor.yuml文件修改完成后,运行install.sh文件'
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# sh install.sh
3.1:登录Harbor私有仓库
3.2:node节点配置连接私有仓库
'//修改daemon-json文件'
[root@node1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://rsezwjwx.mirror.aliyuncs.com"], '//注意后面逗号'
"insecure-registries": ["20.0.0.45"]
}
'//重载服务'
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker
3.3:登录Harbor私库
[root@node1 ~]# docker login 20.0.0.45
Username: admin '//用户admin'
Password: '//密码Harbor12345'
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
3.4:下载Tomcat镜像进行推送
'//这边是公有仓库下载的'
[root@node1 ~]# docker pull tomcat
'//查看镜像'
[root@node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED
nginx latest 992e3b7be046 7 days
tomcat latest f796d3d2c195 3 weeks
siriuszg/kubernetes-dashboard-amd64 v1.8.3 784cf2722f44 2 years
registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64 3.0 99e59f495ffa 4 year
3.41:推送镜像到私库
'//推送格式'
docker tag SOURCE_IMAGE[:TAG] 20.0.0.45/library/IMAGE[:TAG]
'//打标签'
[root@node1 ~]# docker tag tomcat 20.0.0.45/library/tomcat
'//推送镜像'
[root@node1 ~]# docker push 20.0.0.45/library/tomcat
3.42:在harbor仓库中可查到上传的镜像
- 从私库下载镜像
[root@node1 ~]# docker pull 20.0.0.45/library/tomcat
//进行进项下载问题就会出现,需要登录才能下载
//问题点:缺少仓库的凭据
- node节点下载tomcat镜像
[root@node1 ~]# docker pull tomcat:8.0.52
8.0.52: Pulling from library/tomcat
Digest: sha256:32d451f50c0f9e46011091adb3a726e24512002df66aaeecc3c3fd4ba6981bd4
Status: Image is up to date for tomcat:8.0.52
docker.io/library/tomcat:8.0.52
3.43:master节点创建一个yuml文件
[root@master ~]# vim tomcat-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: my-tomcat
spec:
replicas: 2
template:
metadata:
labels:
app: my-tomcat
spec:
containers:
- name: my-tomcat
image: docker.io/tomcat:8.0.52
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: my-tomcat
spec:
type: NodePort
ports:
- port: 8080
targetPort: 8080
nodePort: 31111
selector:
app: my-tomcat
3.44:创建tomcat服务,并访问tomcat主页
[root@master ~]# kubectl create -f tomcat-deployment.yaml
'//查看pod资源'
[root@master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-tomcat-57667b9d9-lcwbd 1/1 Running 0 7m44s
my-tomcat-57667b9d9-qw4jp 1/1 Running 0 7m44s
'//查看pod在哪个节点'
[root@master ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
my-tomcat-57667b9d9-lcwbd 1/1 Running 0 11m 172.17.93.4 20.0.0.42 <none>
my-tomcat-57667b9d9-qw4jp 1/1 Running 0 11m 172.17.5.5 20.0.0.43 <none>
'查看服务暴露端口'
[root@master ~]# kubectl get svc
my-tomcat NodePort 10.0.0.141 <none> 8080:31111/TCP 13m
- 进行访问测试
- 在node节点操作上传镜像到私库
'//镜像进行打标签'
[root@node1 ~]# docker tag tomcat:8.0.52 20.0.0.45/library/tomcat8
'//上传镜像到harbor'
[root@node1 ~]# docker push 20.0.0.45/library/tomcat8
3.5:查看登录凭证
'//base:64:64位解码 -w 0不换行输出,如果下载镜像有问题就查看一下登录凭证'
[root@node1 ~]# cat .docker/config.json |base64 -w 0
ewoJImF1dGhzIjogewoJCSIyMC4wLjAuNDUiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuMTMgKGxpbnV4KSIKCX0KfQ==
3.6:在master创建一个安全登录harbor的资源
'//复制凭证到yaml里'
[root@master ~]# vim registry-pull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-pull-secret
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIyMC4wLjAuNDUiOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuMTMgKGxpbnV4KSIKCX0KfQ==
type: kubernetes.io/dockerconfigjson
3.61:创建凭证资源
[root@master ~]# kubectl create -f registry-pull-secret.yaml
'//查看secret资源'
[root@master ~]# kubectl get secret
NAME TYPE DATA AGE
default-token-cfdcs kubernetes.io/service-account-token 3 13d
registry-pull-secret kubernetes.io/dockerconfigjson 1 62s
- 验证时为了保证环境,首先删除本地的tomcat镜像
[root@master ~]# kubectl delete -f tomcat-deployment.yaml
- 修改原有的tomcat.yaml
[root@master ~]# vim tomcat-deployment.yaml
spec:
imagePullSecrets:
- name: registry-pull-secret #这个镜像拉取安全凭据名称要与get的一致
containers:
- name: my-tomcat
image: 20.0.0.45/library/tomcat8
ports:
- containerPort: 80
'//下载资源'
[root@master ~]# kubectl create -f tomcat-deployment.yaml
3.62:登录查看
- 私有仓库的镜像被下载了2次
- 再次删除测试
[root@master ~]# kubectl delete -f tomcat-deployment.yaml
deployment.extensions "my-tomcat" deleted
service "my-tomcat" deleted
'//创建资源'
[root@master ~]# kubectl create -f tomcat-deployment.yaml
deployment.extensions/my-tomcat created
service/my-tomcat created
'//查看端口暴露'
[root@master ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 44h
my-tomcat NodePort 10.0.0.141 <none> 8080:31111/TCP 31s
nginx-service NodePort 10.0.0.75 <none> 80:31558/TCP 43h
- 下载次数已经为4次
3.7:如果遇到处于Terminating状态的无法删除的容器可以强制删除
[root@master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
my-nginx-57667b9d9-nklvj 1/1 Terminating 0 10h
my-nginx-57667b9d9-wllnp 1/1 Terminating 0 10h
'//这种情况下可以使用强制删除命令'
[root@master ~]# kubectl delete pod my-nginx-57667b9d9-nklvj --force --grace-period=0 -n default
'//使用kubectl get ns,查看命名空间'
[root@master test]# kubectl get ns
NAME STATUS AGE
default Active 12d
kube-public Active 12d
kube-system Active 12d
到此 k8s 获取私服镜像完成!
更多推荐
已为社区贡献9条内容
所有评论(0)