Kubernetes集群部署Jenkins指南
Kubernetes集群部署Jenkins完整实战指南
文档说明
本文档基于实际部署过程中遇到的问题和解决方案编写,适用于CentOS 7系统的Kubernetes集群,包含常见问题的排查和解决方法。
目录
- 1. 环境准备
- 2. 创建命名空间和权限
- 3. 配置存储
- 4. 部署Jenkins
- 5. 配置服务访问
- 6. 初始化配置
- 7. 常见问题解决
- 8. 生产环境优化
1. 环境准备
1.1 系统要求
- 操作系统: CentOS 7.x
- Kubernetes版本: 1.20+
- 集群状态: 所有节点正常运行
- 存储: 至少20GB可用空间
- 网络: CNI插件正常工作
1.2 前置检查
# 检查集群状态
kubectl cluster-info
kubectl get nodes# 检查网络组件状态(以Calico为例)
kubectl get pods -n kube-system | grep calico# 创建工作目录
mkdir -p ~/jenkins-k8s
cd ~/jenkins-k8s
2. 创建命名空间和权限
2.1 创建命名空间
创建 01-namespace.yaml:
apiVersion: v1
kind: Namespace
metadata:name: jenkinslabels:name: jenkins
2.2 配置RBAC权限
创建 02-rbac.yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:name: jenkinsnamespace: jenkins---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: jenkins
rules:
- apiGroups: [""]resources: ["pods"]verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]resources: ["pods/exec"]verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]resources: ["pods/log"]verbs: ["get","list","watch"]
- apiGroups: [""]resources: ["secrets"]verbs: ["get"]
- apiGroups: [""]resources: ["events"]verbs: ["get","list","watch"]---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: jenkins
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: jenkins
subjects:
- kind: ServiceAccountname: jenkinsnamespace: jenkins
2.3 应用基础配置
kubectl apply -f 01-namespace.yaml
kubectl apply -f 02-rbac.yaml
3. 配置存储
3.1 准备存储节点
选择一个稳定的工作节点作为存储节点(本例使用node3):
# 在选定的节点上创建数据目录
# 如果在master节点操作,需要ssh到目标节点
ssh node3 "sudo mkdir -p /data/jenkins && sudo chown -R 1000:1000 /data/jenkins && sudo chmod -R 755 /data/jenkins"# 或者直接在目标节点执行
sudo mkdir -p /data/jenkins
sudo chown -R 1000:1000 /data/jenkins
sudo chmod -R 755 /data/jenkins
3.2 创建PersistentVolume
创建 03-pv.yaml:
apiVersion: v1
kind: PersistentVolume
metadata:name: jenkins-pvlabels:type: localapp: jenkins
spec:storageClassName: manualcapacity:storage: 20GiaccessModes:- ReadWriteOncepersistentVolumeReclaimPolicy: RetainhostPath:path: /data/jenkinsnodeAffinity:required:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/hostnameoperator: Invalues:- node3 # 替换为您的实际节点名称
3.3 创建PersistentVolumeClaim
创建 04-pvc.yaml:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: jenkins-pvcnamespace: jenkins
spec:storageClassName: manualaccessModes:- ReadWriteOnceresources:requests:storage: 20Gi
3.4 应用存储配置
kubectl apply -f 03-pv.yaml
kubectl apply -f 04-pvc.yaml# 验证PV和PVC绑定状态
kubectl get pv
kubectl get pvc -n jenkins
4. 部署Jenkins
4.1 创建Jenkins Deployment
创建 05-jenkins-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:name: jenkinsnamespace: jenkins
spec:replicas: 1selector:matchLabels:app: jenkinstemplate:metadata:labels:app: jenkinsspec:serviceAccountName: jenkins# 使用hostNetwork解决网络问题(生产环境可考虑其他方案)hostNetwork: truednsPolicy: ClusterFirstWithHostNetsecurityContext:fsGroup: 1000runAsUser: 1000# 指定调度到存储节点nodeSelector:kubernetes.io/hostname: node3 # 替换为实际节点名称containers:- name: jenkinsimage: jenkins/jenkins:2.426.1-ltsports:- name: http-portcontainerPort: 8080hostPort: 8080- name: jnlp-portcontainerPort: 50000hostPort: 50000volumeMounts:- name: jenkins-volmountPath: /var/jenkins_homeenv:- name: JAVA_OPTSvalue: "-Djenkins.install.runSetupWizard=false -Djava.awt.headless=true -Xms1g -Xmx2g"resources:limits:memory: "3Gi"cpu: "2000m"requests:memory: "2Gi"cpu: "1000m"livenessProbe:httpGet:path: "/login"port: 8080initialDelaySeconds: 120periodSeconds: 10timeoutSeconds: 5failureThreshold: 5readinessProbe:httpGet:path: "/login"port: 8080initialDelaySeconds: 90periodSeconds: 10timeoutSeconds: 5failureThreshold: 3volumes:- name: jenkins-volpersistentVolumeClaim:claimName: jenkins-pvc
4.2 部署Jenkins
kubectl apply -f 05-jenkins-deployment.yaml# 等待Pod启动
kubectl wait --for=condition=ready pod -l app=jenkins -n jenkins --timeout=600s# 检查部署状态
kubectl get pods -n jenkins -o wide
5. 配置服务访问
5.1 创建ClusterIP Service
创建 06-jenkins-service.yaml:
apiVersion: v1
kind: Service
metadata:name: jenkins-servicenamespace: jenkins
spec:selector:app: jenkinstype: ClusterIPports:- name: httpport: 8080targetPort: 8080- name: jnlpport: 50000targetPort: 50000
5.2 创建NodePort Service(可选)
创建 07-jenkins-nodeport.yaml:
apiVersion: v1
kind: Service
metadata:name: jenkins-nodeportnamespace: jenkins
spec:selector:app: jenkinstype: NodePortports:- name: httpport: 8080targetPort: 8080nodePort: 32000- name: jnlpport: 50000targetPort: 50000nodePort: 32001
5.3 创建Ingress(可选)
创建 08-jenkins-ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: jenkins-ingressnamespace: jenkinsannotations:nginx.ingress.kubernetes.io/ssl-redirect: "false"nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:ingressClassName: nginxrules:- host: jenkins.yourdomain.com # 替换为您的域名http:paths:- path: /pathType: Prefixbackend:service:name: jenkins-serviceport:number: 8080
5.4 应用服务配置
# 基础服务
kubectl apply -f 06-jenkins-service.yaml# 根据需要选择NodePort或Ingress
kubectl apply -f 07-jenkins-nodeport.yaml # NodePort方式
# kubectl apply -f 08-jenkins-ingress.yaml # Ingress方式
6. 初始化配置
6.1 获取访问地址
# 方式1:通过hostNetwork直接访问
kubectl get node node3 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'
# 访问 http://<node-ip>:8080# 方式2:通过NodePort访问
kubectl get svc jenkins-nodeport -n jenkins
# 访问 http://<any-node-ip>:32000# 方式3:通过端口转发访问
kubectl port-forward -n jenkins svc/jenkins-service 8080:8080
# 访问 http://localhost:8080
6.2 获取初始管理员密码
kubectl exec -n jenkins $(kubectl get pods -n jenkins -l app=jenkins -o jsonpath='{.items[0].metadata.name}') -- cat /var/jenkins_home/secrets/initialAdminPassword
6.3 完成初始配置
- 使用初始密码登录Jenkins
- 选择"Install suggested plugins"
- 创建第一个管理员用户
- 配置Jenkins URL
- 开始使用Jenkins
7. 常见问题解决
7.1 Pod无法调度问题
# 检查PVC绑定状态
kubectl get pvc -n jenkins
kubectl describe pvc jenkins-pvc -n jenkins# 检查节点标签
kubectl get nodes --show-labels | grep node3# 检查Pod调度失败原因
kubectl describe pod -n jenkins <pod-name>
7.2 网络连接问题
# 检查网络组件状态
kubectl get pods -n kube-system | grep calico# 重启网络组件(如果需要)
kubectl delete pod -n kube-system -l k8s-app=calico-node# 检查Pod网络配置
kubectl exec -n jenkins <pod-name> -- ip addr show
7.3 存储权限问题
# 在存储节点检查目录权限
ls -la /data/jenkins/# 修复权限
sudo chown -R 1000:1000 /data/jenkins
sudo chmod -R 755 /data/jenkins
7.4 PVC名称不匹配问题
# 检查实际PVC名称
kubectl get pvc -n jenkins# 确保Deployment中的claimName与实际PVC名称一致
kubectl get deployment jenkins -n jenkins -o yaml | grep claimName
8. 生产环境优化
8.1 安全加固
# 在Deployment中添加安全上下文
securityContext:runAsNonRoot: truerunAsUser: 1000fsGroup: 1000capabilities:drop:- ALLreadOnlyRootFilesystem: false
8.2 资源限制优化
resources:limits:memory: "4Gi"cpu: "2000m"requests:memory: "2Gi"cpu: "1000m"
8.3 高可用配置
- 使用共享存储(NFS、Ceph等)
- 配置多副本(需要支持ReadWriteMany的存储)
- 使用LoadBalancer类型Service
8.4 备份策略
# 备份Jenkins数据
kubectl exec -n jenkins <jenkins-pod> -- tar czf /tmp/jenkins-backup-$(date +%Y%m%d).tar.gz /var/jenkins_home --exclude='/var/jenkins_home/workspace/*'# 复制备份文件
kubectl cp jenkins/<jenkins-pod>:/tmp/jenkins-backup-$(date +%Y%m%d).tar.gz ./jenkins-backup-$(date +%Y%m%d).tar.gz
9. 一键部署脚本
9.1 完整部署脚本
#!/bin/bash# 设置变量
STORAGE_NODE="node3" # 修改为您的存储节点名称
NAMESPACE="jenkins"echo "=== Jenkins Kubernetes 部署脚本 ==="# 创建命名空间和RBAC
echo "1. 创建命名空间和权限配置..."
kubectl apply -f - << EOF
apiVersion: v1
kind: Namespace
metadata:name: ${NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:name: jenkinsnamespace: ${NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: jenkins
rules:
- apiGroups: [""]resources: ["pods"]verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]resources: ["pods/exec"]verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]resources: ["pods/log"]verbs: ["get","list","watch"]
- apiGroups: [""]resources: ["secrets"]verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: jenkins
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: jenkins
subjects:
- kind: ServiceAccountname: jenkinsnamespace: ${NAMESPACE}
EOF# 创建存储
echo "2. 创建存储配置..."
echo "请确保在节点 ${STORAGE_NODE} 上已创建目录: sudo mkdir -p /data/jenkins && sudo chown -R 1000:1000 /data/jenkins"kubectl apply -f - << EOF
apiVersion: v1
kind: PersistentVolume
metadata:name: jenkins-pv
spec:storageClassName: manualcapacity:storage: 20GiaccessModes:- ReadWriteOncepersistentVolumeReclaimPolicy: RetainhostPath:path: /data/jenkinsnodeAffinity:required:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/hostnameoperator: Invalues:- ${STORAGE_NODE}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: jenkins-pvcnamespace: ${NAMESPACE}
spec:storageClassName: manualaccessModes:- ReadWriteOnceresources:requests:storage: 20Gi
EOF# 等待PVC绑定
echo "3. 等待存储绑定..."
sleep 10# 部署Jenkins
echo "4. 部署Jenkins..."
kubectl apply -f - << EOF
apiVersion: apps/v1
kind: Deployment
metadata:name: jenkinsnamespace: ${NAMESPACE}
spec:replicas: 1selector:matchLabels:app: jenkinstemplate:metadata:labels:app: jenkinsspec:serviceAccountName: jenkinshostNetwork: truednsPolicy: ClusterFirstWithHostNetsecurityContext:fsGroup: 1000runAsUser: 1000nodeSelector:kubernetes.io/hostname: ${STORAGE_NODE}containers:- name: jenkinsimage: jenkins/jenkins:2.426.1-ltsports:- containerPort: 8080hostPort: 8080- containerPort: 50000hostPort: 50000volumeMounts:- name: jenkins-volmountPath: /var/jenkins_homeenv:- name: JAVA_OPTSvalue: "-Djenkins.install.runSetupWizard=false -Djava.awt.headless=true -Xms1g -Xmx2g"resources:limits:memory: "3Gi"cpu: "2000m"requests:memory: "2Gi"cpu: "1000m"volumes:- name: jenkins-volpersistentVolumeClaim:claimName: jenkins-pvc
---
apiVersion: v1
kind: Service
metadata:name: jenkins-servicenamespace: ${NAMESPACE}
spec:selector:app: jenkinsports:- name: httpport: 8080targetPort: 8080- name: jnlpport: 50000targetPort: 50000
EOF# 等待部署完成
echo "5. 等待Jenkins启动..."
kubectl wait --for=condition=ready pod -l app=jenkins -n ${NAMESPACE} --timeout=600s# 获取访问信息
echo "6. 获取访问信息..."
NODE_IP=$(kubectl get node ${STORAGE_NODE} -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
echo "Jenkins访问地址: http://${NODE_IP}:8080"echo "Jenkins初始密码:"
kubectl exec -n ${NAMESPACE} $(kubectl get pods -n ${NAMESPACE} -l app=jenkins -o jsonpath='{.items[0].metadata.name}') -- cat /var/jenkins_home/secrets/initialAdminPasswordecho "=== 部署完成 ==="
9.2 使用脚本
# 给脚本执行权限
chmod +x deploy-jenkins.sh# 修改脚本中的STORAGE_NODE变量为您的实际节点名称
vim deploy-jenkins.sh# 执行部署
./deploy-jenkins.sh
10. 维护和监控
10.1 常用维护命令
# 查看Jenkins状态
kubectl get all -n jenkins# 查看日志
kubectl logs -f deployment/jenkins -n jenkins# 重启Jenkins
kubectl rollout restart deployment/jenkins -n jenkins# 扩容/缩容(需要共享存储支持)
kubectl scale deployment jenkins --replicas=2 -n jenkins
10.2 升级Jenkins
# 备份当前数据
kubectl exec -n jenkins <pod-name> -- tar czf /tmp/backup.tar.gz /var/jenkins_home# 更新镜像版本
kubectl set image deployment/jenkins jenkins=jenkins/jenkins:2.428.1-lts -n jenkins# 监控升级过程
kubectl rollout status deployment/jenkins -n jenkins