Kubernetes集群部署Jenkins完整实战指南
文档说明
本文档基于实际部署过程中遇到的问题和解决方案编写,适用于CentOS 7系统的Kubernetes集群,包含常见问题的排查和解决方法。
目录
- [1. 环境准备](#1. 环境准备)
- [2. 创建命名空间和权限](#2. 创建命名空间和权限)
- [3. 配置存储](#3. 配置存储)
- [4. 部署Jenkins](#4. 部署Jenkins)
- [5. 配置服务访问](#5. 配置服务访问)
- [6. 初始化配置](#6. 初始化配置)
- [7. 常见问题解决](#7. 常见问题解决)
- [8. 生产环境优化](#8. 生产环境优化)
1. 环境准备
1.1 系统要求
- 操作系统: CentOS 7.x
- Kubernetes版本: 1.20+
- 集群状态: 所有节点正常运行
- 存储: 至少20GB可用空间
- 网络: CNI插件正常工作
1.2 前置检查
bash
# 检查集群状态
kubectl cluster-info
kubectl get nodes
# 检查网络组件状态(以Calico为例)
kubectl get pods -n kube-system | grep calico
# 创建工作目录
mkdir -p ~/jenkins-k8s
cd ~/jenkins-k8s2. 创建命名空间和权限
2.1 创建命名空间
创建 01-namespace.yaml:
yaml
apiVersion: v1
kind: Namespace
metadata:
name: jenkins
labels:
name: jenkins2.2 配置RBAC权限
创建 02-rbac.yaml:
yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: jenkins
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins2.3 应用基础配置
bash
kubectl apply -f 01-namespace.yaml
kubectl apply -f 02-rbac.yaml3. 配置存储
3.1 准备存储节点
选择一个稳定的工作节点作为存储节点(本例使用node3):
bash
# 在选定的节点上创建数据目录
# 如果在master节点操作,需要ssh到目标节点
ssh node3 "sudo mkdir -p /data/jenkins && sudo chown -R 1000:1000 /data/jenkins && sudo chmod -R 755 /data/jenkins"
# 或者直接在目标节点执行
sudo mkdir -p /data/jenkins
sudo chown -R 1000:1000 /data/jenkins
sudo chmod -R 755 /data/jenkins3.2 创建PersistentVolume
创建 03-pv.yaml:
yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-pv
labels:
type: local
app: jenkins
spec:
storageClassName: manual
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /data/jenkins
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- node3 # 替换为您的实际节点名称3.3 创建PersistentVolumeClaim
创建 04-pvc.yaml:
yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc
namespace: jenkins
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi3.4 应用存储配置
bash
kubectl apply -f 03-pv.yaml
kubectl apply -f 04-pvc.yaml
# 验证PV和PVC绑定状态
kubectl get pv
kubectl get pvc -n jenkins4. 部署Jenkins
4.1 创建Jenkins Deployment
创建 05-jenkins-deployment.yaml:
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
namespace: jenkins
spec:
replicas: 1
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
serviceAccountName: jenkins
# 使用hostNetwork解决网络问题(生产环境可考虑其他方案)
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
securityContext:
fsGroup: 1000
runAsUser: 1000
# 指定调度到存储节点
nodeSelector:
kubernetes.io/hostname: node3 # 替换为实际节点名称
containers:
- name: jenkins
image: jenkins/jenkins:2.426.1-lts
ports:
- name: http-port
containerPort: 8080
hostPort: 8080
- name: jnlp-port
containerPort: 50000
hostPort: 50000
volumeMounts:
- name: jenkins-vol
mountPath: /var/jenkins_home
env:
- name: JAVA_OPTS
value: "-Djenkins.install.runSetupWizard=false -Djava.awt.headless=true -Xms1g -Xmx2g"
resources:
limits:
memory: "3Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
livenessProbe:
httpGet:
path: "/login"
port: 8080
initialDelaySeconds: 120
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
readinessProbe:
httpGet:
path: "/login"
port: 8080
initialDelaySeconds: 90
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
volumes:
- name: jenkins-vol
persistentVolumeClaim:
claimName: jenkins-pvc4.2 部署Jenkins
bash
kubectl apply -f 05-jenkins-deployment.yaml
# 等待Pod启动
kubectl wait --for=condition=ready pod -l app=jenkins -n jenkins --timeout=600s
# 检查部署状态
kubectl get pods -n jenkins -o wide5. 配置服务访问
5.1 创建ClusterIP Service
创建 06-jenkins-service.yaml:
yaml
apiVersion: v1
kind: Service
metadata:
name: jenkins-service
namespace: jenkins
spec:
selector:
app: jenkins
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: 8080
- name: jnlp
port: 50000
targetPort: 500005.2 创建NodePort Service(可选)
创建 07-jenkins-nodeport.yaml:
yaml
apiVersion: v1
kind: Service
metadata:
name: jenkins-nodeport
namespace: jenkins
spec:
selector:
app: jenkins
type: NodePort
ports:
- name: http
port: 8080
targetPort: 8080
nodePort: 32000
- name: jnlp
port: 50000
targetPort: 50000
nodePort: 320015.3 创建Ingress(可选)
创建 08-jenkins-ingress.yaml:
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jenkins-ingress
namespace: jenkins
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
rules:
- host: jenkins.yourdomain.com # 替换为您的域名
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jenkins-service
port:
number: 80805.4 应用服务配置
bash
# 基础服务
kubectl apply -f 06-jenkins-service.yaml
# 根据需要选择NodePort或Ingress
kubectl apply -f 07-jenkins-nodeport.yaml # NodePort方式
# kubectl apply -f 08-jenkins-ingress.yaml # Ingress方式6. 初始化配置
6.1 获取访问地址
bash
# 方式1:通过hostNetwork直接访问
kubectl get node node3 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'
# 访问 http://<node-ip>:8080
# 方式2:通过NodePort访问
kubectl get svc jenkins-nodeport -n jenkins
# 访问 http://<any-node-ip>:32000
# 方式3:通过端口转发访问
kubectl port-forward -n jenkins svc/jenkins-service 8080:8080
# 访问 http://localhost:80806.2 获取初始管理员密码
bash
kubectl exec -n jenkins $(kubectl get pods -n jenkins -l app=jenkins -o jsonpath='{.items[0].metadata.name}') -- cat /var/jenkins_home/secrets/initialAdminPassword6.3 完成初始配置
- 使用初始密码登录Jenkins
- 选择"Install suggested plugins"
- 创建第一个管理员用户
- 配置Jenkins URL
- 开始使用Jenkins
7. 常见问题解决
7.1 Pod无法调度问题
bash
# 检查PVC绑定状态
kubectl get pvc -n jenkins
kubectl describe pvc jenkins-pvc -n jenkins
# 检查节点标签
kubectl get nodes --show-labels | grep node3
# 检查Pod调度失败原因
kubectl describe pod -n jenkins <pod-name>7.2 网络连接问题
bash
# 检查网络组件状态
kubectl get pods -n kube-system | grep calico
# 重启网络组件(如果需要)
kubectl delete pod -n kube-system -l k8s-app=calico-node
# 检查Pod网络配置
kubectl exec -n jenkins <pod-name> -- ip addr show7.3 存储权限问题
bash
# 在存储节点检查目录权限
ls -la /data/jenkins/
# 修复权限
sudo chown -R 1000:1000 /data/jenkins
sudo chmod -R 755 /data/jenkins7.4 PVC名称不匹配问题
bash
# 检查实际PVC名称
kubectl get pvc -n jenkins
# 确保Deployment中的claimName与实际PVC名称一致
kubectl get deployment jenkins -n jenkins -o yaml | grep claimName8. 生产环境优化
8.1 安全加固
yaml
# 在Deployment中添加安全上下文
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false8.2 资源限制优化
yaml
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"8.3 高可用配置
- 使用共享存储(NFS、Ceph等)
- 配置多副本(需要支持ReadWriteMany的存储)
- 使用LoadBalancer类型Service
8.4 备份策略
bash
# 备份Jenkins数据
kubectl exec -n jenkins <jenkins-pod> -- tar czf /tmp/jenkins-backup-$(date +%Y%m%d).tar.gz /var/jenkins_home --exclude='/var/jenkins_home/workspace/*'
# 复制备份文件
kubectl cp jenkins/<jenkins-pod>:/tmp/jenkins-backup-$(date +%Y%m%d).tar.gz ./jenkins-backup-$(date +%Y%m%d).tar.gz9. 一键部署脚本
9.1 完整部署脚本
bash
#!/bin/bash
# 设置变量
STORAGE_NODE="node3" # 修改为您的存储节点名称
NAMESPACE="jenkins"
echo "=== Jenkins Kubernetes 部署脚本 ==="
# 创建命名空间和RBAC
echo "1. 创建命名空间和权限配置..."
kubectl apply -f - << EOF
apiVersion: v1
kind: Namespace
metadata:
name: ${NAMESPACE}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: ${NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: ${NAMESPACE}
EOF
# 创建存储
echo "2. 创建存储配置..."
echo "请确保在节点 ${STORAGE_NODE} 上已创建目录: sudo mkdir -p /data/jenkins && sudo chown -R 1000:1000 /data/jenkins"
kubectl apply -f - << EOF
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-pv
spec:
storageClassName: manual
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /data/jenkins
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- ${STORAGE_NODE}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc
namespace: ${NAMESPACE}
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
EOF
# 等待PVC绑定
echo "3. 等待存储绑定..."
sleep 10
# 部署Jenkins
echo "4. 部署Jenkins..."
kubectl apply -f - << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
namespace: ${NAMESPACE}
spec:
replicas: 1
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
serviceAccountName: jenkins
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
securityContext:
fsGroup: 1000
runAsUser: 1000
nodeSelector:
kubernetes.io/hostname: ${STORAGE_NODE}
containers:
- name: jenkins
image: jenkins/jenkins:2.426.1-lts
ports:
- containerPort: 8080
hostPort: 8080
- containerPort: 50000
hostPort: 50000
volumeMounts:
- name: jenkins-vol
mountPath: /var/jenkins_home
env:
- name: JAVA_OPTS
value: "-Djenkins.install.runSetupWizard=false -Djava.awt.headless=true -Xms1g -Xmx2g"
resources:
limits:
memory: "3Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
volumes:
- name: jenkins-vol
persistentVolumeClaim:
claimName: jenkins-pvc
---
apiVersion: v1
kind: Service
metadata:
name: jenkins-service
namespace: ${NAMESPACE}
spec:
selector:
app: jenkins
ports:
- name: http
port: 8080
targetPort: 8080
- name: jnlp
port: 50000
targetPort: 50000
EOF
# 等待部署完成
echo "5. 等待Jenkins启动..."
kubectl wait --for=condition=ready pod -l app=jenkins -n ${NAMESPACE} --timeout=600s
# 获取访问信息
echo "6. 获取访问信息..."
NODE_IP=$(kubectl get node ${STORAGE_NODE} -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
echo "Jenkins访问地址: http://${NODE_IP}:8080"
echo "Jenkins初始密码:"
kubectl exec -n ${NAMESPACE} $(kubectl get pods -n ${NAMESPACE} -l app=jenkins -o jsonpath='{.items[0].metadata.name}') -- cat /var/jenkins_home/secrets/initialAdminPassword
echo "=== 部署完成 ==="9.2 使用脚本
bash
# 给脚本执行权限
chmod +x deploy-jenkins.sh
# 修改脚本中的STORAGE_NODE变量为您的实际节点名称
vim deploy-jenkins.sh
# 执行部署
./deploy-jenkins.sh10. 维护和监控
10.1 常用维护命令
bash
# 查看Jenkins状态
kubectl get all -n jenkins
# 查看日志
kubectl logs -f deployment/jenkins -n jenkins
# 重启Jenkins
kubectl rollout restart deployment/jenkins -n jenkins
# 扩容/缩容(需要共享存储支持)
kubectl scale deployment jenkins --replicas=2 -n jenkins10.2 升级Jenkins
bash
# 备份当前数据
kubectl exec -n jenkins <pod-name> -- tar czf /tmp/backup.tar.gz /var/jenkins_home
# 更新镜像版本
kubectl set image deployment/jenkins jenkins=jenkins/jenkins:2.428.1-lts -n jenkins
# 监控升级过程
kubectl rollout status deployment/jenkins -n jenkins