核心内容:企业级DevOps流水线搭建实战
整体架构设计
我们将搭建一套基于Jenkins + GitLab + Docker + Kubernetes的完整流水线,架构如下:
开发提交代码 → GitLab(代码仓库)
↓
GitLab Webhook触发 → Jenkins(CI/CD引擎)
↓
Jenkins Pipeline执行:
1. 代码检出
2. 代码扫描(SonarQube)
3. 单元测试
4. 编译构建
5. Docker镜像构建
6. 推送到Harbor
7. 部署到K8s(测试环境)
8. 自动化测试
9. 人工审批
10. 部署到生产环境
↓
监控告警(Prometheus + Grafana)环境准备清单:
-
• 3台服务器(最低配置:4核8G,生产建议8核16G)
-
• 操作系统:CentOS 7.9 或 Ubuntu 20.04
-
• 网络:各节点互通,可访问外网
第一阶段:基础环境搭建(Day 1-2)
1. 安装Docker环境
所有节点都需要安装Docker:
#!/bin/bash
# install_docker.sh - Docker安装脚本
set -e
echo"=== 开始安装Docker ==="
# 卸载旧版本
sudo yum remove -y docker docker-client docker-client-latest \
docker-common docker-latest docker-latest-logrotate \
docker-logrotate docker-engine
# 安装依赖
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# 添加Docker仓库
sudo yum-config-manager --add-repo \
https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安装Docker
sudo yum install -y docker-ce docker-ce-cli containerd.io
# 配置Docker镜像加速和日志
sudomkdir -p /etc/docker
sudotee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com",
"https://registry.docker-cn.com"
],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
},
"storage-driver": "overlay2",
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
# 启动Docker
sudo systemctl daemon-reload
sudo systemctl enable docker
sudo systemctl start docker
# 验证安装
docker --version
docker info
echo"=== Docker安装完成 ==="2. 部署GitLab代码仓库
GitLab提供完整的代码管理和CI/CD功能:
#!/bin/bash
# install_gitlab.sh - GitLab安装脚本
set -e
GITLAB_HOME="/data/gitlab"
GITLAB_HOSTNAME="gitlab.company.com"# 修改为你的域名
echo"=== 开始安装GitLab ==="
# 创建数据目录
sudomkdir -p ${GITLAB_HOME}/{config,logs,data}
# 运行GitLab容器
docker run -d \
--hostname ${GITLAB_HOSTNAME} \
--name gitlab \
--restart always \
--publish 443:443 \
--publish 80:80 \
--publish 22:22 \
--volume ${GITLAB_HOME}/config:/etc/gitlab \
--volume ${GITLAB_HOME}/logs:/var/log/gitlab \
--volume ${GITLAB_HOME}/data:/var/opt/gitlab \
--shm-size 256m \
gitlab/gitlab-ce:latest
echo"=== GitLab正在启动,需要3-5分钟 ==="
echo"等待GitLab启动..."
# 等待GitLab启动
for i in {1..30}; do
if docker logs gitlab 2>&1 | grep -q "gitlab Reconfigured"; then
echo"GitLab启动成功!"
break
fi
echo"等待中... ($i/30)"
sleep 10
done
# 获取初始密码
echo""
echo"=== GitLab初始管理员密码 ==="
docker exec gitlab cat /etc/gitlab/initial_root_password | grep Password:
echo""
echo"访问地址: http://${GITLAB_HOSTNAME}"
echo"管理员账号: root"
echo"请保存上面的初始密码,24小时后将自动删除"3. 部署Harbor镜像仓库
Harbor用于存储Docker镜像:
#!/bin/bash
# install_harbor.sh - Harbor安装脚本
set -e
HARBOR_VERSION="v2.9.0"
HARBOR_DOMAIN="harbor.company.com"# 修改为你的域名
HARBOR_ADMIN_PASSWORD="Harbor12345"# 修改管理员密码
echo"=== 开始安装Harbor ==="
# 安装docker-compose
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-$(uname -s)-$(uname -m)" \
-o /usr/local/bin/docker-compose
sudochmod +x /usr/local/bin/docker-compose
# 下载Harbor
cd /opt
wget https://github.com/goharbor/harbor/releases/download/${HARBOR_VERSION}/harbor-offline-installer-${HARBOR_VERSION}.tgz
tar xzvf harbor-offline-installer-${HARBOR_VERSION}.tgz
cd harbor
# 配置Harbor
cp harbor.yml.tmpl harbor.yml
sed -i "s/hostname: reg.mydomain.com/hostname: ${HARBOR_DOMAIN}/g" harbor.yml
sed -i "s/harbor_admin_password: Harbor12345/harbor_admin_password: ${HARBOR_ADMIN_PASSWORD}/g" harbor.yml
# 禁用HTTPS(测试环境,生产建议启用)
sed -i '/^https:/,+8 s/^/#/' harbor.yml
# 安装Harbor
sudo ./install.sh
echo"=== Harbor安装完成 ==="
echo"访问地址: http://${HARBOR_DOMAIN}"
echo"管理员账号: admin"
echo"管理员密码: ${HARBOR_ADMIN_PASSWORD}"4. 部署Jenkins CI/CD引擎
#!/bin/bash
# install_jenkins.sh - Jenkins安装脚本
set -e
JENKINS_HOME="/data/jenkins"
echo"=== 开始安装Jenkins ==="
# 创建数据目录
sudomkdir -p ${JENKINS_HOME}
sudochown -R 1000:1000 ${JENKINS_HOME}
# 运行Jenkins容器
docker run -d \
--name jenkins \
--restart always \
--user root \
-p 8080:8080 \
-p 50000:50000 \
-v ${JENKINS_HOME}:/var/jenkins_home \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker \
jenkins/jenkins:lts
echo"=== 等待Jenkins启动(约2分钟) ==="
sleep 120
# 获取初始密码
echo""
echo"=== Jenkins初始管理员密码 ==="
docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPassword
echo""
echo"访问地址: http://YOUR_IP:8080"
echo"请使用上面的密码登录并完成初始化配置"第二阶段:Jenkins Pipeline配置(Day 3-4)
1. Jenkins基础配置
登录Jenkins后,安装必要插件:
-
• Git plugin
-
• Docker plugin
-
• Kubernetes plugin
-
• Pipeline plugin
-
• GitLab plugin
-
• SonarQube Scanner
2. 创建Jenkins Pipeline脚本
这是核心的Jenkinsfile,实现完整的CI/CD流程:
// Jenkinsfile - 企业级流水线脚本
pipeline {
agent any
environment {
// 项目配置
PROJECT_NAME = 'demo-app'
GIT_REPO = 'http://gitlab.company.com/dev/demo-app.git'
GIT_CREDENTIALS = 'gitlab-credentials'
// Harbor镜像仓库
HARBOR_URL = 'harbor.company.com'
HARBOR_PROJECT = 'production'
HARBOR_CREDENTIALS = 'harbor-credentials'
IMAGE_NAME = "${HARBOR_URL}/${HARBOR_PROJECT}/${PROJECT_NAME}"
// Kubernetes配置
K8S_NAMESPACE_TEST = 'test'
K8S_NAMESPACE_PROD = 'production'
K8S_CREDENTIALS = 'k8s-credentials'
// SonarQube
SONAR_URL = 'http://sonarqube.company.com'
// 构建信息
BUILD_TAG = "${env.BUILD_NUMBER}-${env.GIT_COMMIT?.take(8)}"
}
stages {
stage('代码检出') {
steps {
script {
echo "=== 从GitLab检出代码 ==="
git branch:'master',
credentialsId:"${GIT_CREDENTIALS}",
url:"${GIT_REPO}"
// 获取Git提交信息
env.GIT_COMMIT_MSG = sh(
script:'git log -1 --pretty=%B',
returnStdout:true
).trim()
env.GIT_AUTHOR = sh(
script:'git log -1 --pretty=%an',
returnStdout:true
).trim()
}
}
}
stage('代码扫描') {
steps {
script {
echo "=== 执行SonarQube代码扫描 ==="
withSonarQubeEnv('SonarQube') {
sh """
sonar-scanner \
-Dsonar.projectKey=${PROJECT_NAME} \
-Dsonar.sources=. \
-Dsonar.host.url=${SONAR_URL} \
-Dsonar.login=${SONAR_TOKEN}
"""
}
}
}
}
stage('质量门禁') {
steps {
script {
echo "=== 等待SonarQube质量门禁结果 ==="
timeout(time:5, unit:'MINUTES') {
def qg = waitForQualityGate()
if (qg.status != 'OK') {
error "代码质量不达标: ${qg.status}"
}
}
}
}
}
stage('单元测试') {
steps {
script {
echo "=== 执行单元测试 ==="
sh """
# 以Java项目为例
mvn clean test
# 或Node.js项目
# npm test
# 或Python项目
# pytest --cov=./ --cov-report=xml
"""
}
}
post {
always {
// 发布测试报告
junit '**/target/surefire-reports/*.xml'
}
}
}
stage('编译构建') {
steps {
script {
echo "=== 编译项目代码 ==="
sh """
# Java项目
mvn clean package -DskipTests
# 或Node.js项目
# npm run build
# 或Go项目
# go build -o app main.go
"""
}
}
}
stage('构建镜像') {
steps {
script {
echo "=== 构建Docker镜像 ==="
// 创建Dockerfile(如果项目中没有)
sh """
cat > Dockerfile <<'EOF'
FROM openjdk:11-jre-slim
WORKDIR /app
COPY target/*.jar app.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]
EOF
"""
// 构建镜像
docker.build("${IMAGE_NAME}:${BUILD_TAG}")
docker.build("${IMAGE_NAME}:latest")
}
}
}
stage('推送镜像') {
steps {
script {
echo "=== 推送镜像到Harbor ==="
docker.withRegistry("http://${HARBOR_URL}", "${HARBOR_CREDENTIALS}") {
docker.image("${IMAGE_NAME}:${BUILD_TAG}").push()
docker.image("${IMAGE_NAME}:latest").push()
}
}
}
}
stage('部署到测试环境') {
steps {
script {
echo "=== 部署到Kubernetes测试环境 ==="
withKubeConfig([credentialsId:"${K8S_CREDENTIALS}"]) {
sh """
kubectl set image deployment/${PROJECT_NAME} \
${PROJECT_NAME}=${IMAGE_NAME}:${BUILD_TAG} \
-n ${K8S_NAMESPACE_TEST}
# 等待部署完成
kubectl rollout status deployment/${PROJECT_NAME} \
-n ${K8S_NAMESPACE_TEST} \
--timeout=5m
"""
}
}
}
}
stage('自动化测试') {
steps {
script {
echo "=== 执行接口自动化测试 ==="
sh """
# 等待服务就绪
sleep 30
# 执行自动化测试
# newman run tests/api-tests.json
# 或使用pytest
# pytest tests/integration/
echo "自动化测试通过"
"""
}
}
}
stage('人工审批') {
when {
branch 'master'
}
steps {
script {
echo "=== 等待人工审批发布到生产环境 ==="
def userInput = input(
id:'userInput',
message:'是否发布到生产环境?',
parameters: [
booleanParam(
defaultValue:false,
description:'确认发布',
name:'DEPLOY_TO_PROD'
)
]
)
if (!userInput) {
error "用户取消了生产环境发布"
}
}
}
}
stage('部署到生产环境') {
when {
branch 'master'
}
steps {
script {
echo "=== 部署到Kubernetes生产环境 ==="
withKubeConfig([credentialsId:"${K8S_CREDENTIALS}"]) {
sh """
# 记录发布信息
kubectl annotate deployment/${PROJECT_NAME} \
kubernetes.io/change-cause="Build ${BUILD_TAG} by ${GIT_AUTHOR}: ${GIT_COMMIT_MSG}" \
-n ${K8S_NAMESPACE_PROD}
# 更新镜像
kubectl set image deployment/${PROJECT_NAME} \
${PROJECT_NAME}=${IMAGE_NAME}:${BUILD_TAG} \
-n ${K8S_NAMESPACE_PROD}
# 等待部署完成
kubectl rollout status deployment/${PROJECT_NAME} \
-n ${K8S_NAMESPACE_PROD} \
--timeout=10m
"""
}
}
}
}
stage('健康检查') {
when {
branch 'master'
}
steps {
script {
echo "=== 生产环境健康检查 ==="
sh """
# 获取服务地址
SERVICE_URL=\$(kubectl get svc ${PROJECT_NAME} \
-n ${K8S_NAMESPACE_PROD} \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}')
# 健康检查
for i in {1..10}; do
HTTP_CODE=\$(curl -s -o /dev/null -w "%{http_code}" http://\${SERVICE_URL}/health)
if [ "\${HTTP_CODE}" == "200" ]; then
echo "健康检查通过"
exit 0
fi
echo "等待服务就绪... (\$i/10)"
sleep 10
done
echo "健康检查失败,准备回滚"
exit 1
"""
}
}
}
}
post {
success {
script {
echo "=== 流水线执行成功 ==="
// 发送通知(钉钉/企业微信/邮件)
sh """
curl -X POST 'https://oapi.dingtalk.com/robot/send?access_token=YOUR_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"msgtype": "markdown",
"markdown": {
"title": "发布成功",
"text": "### ${PROJECT_NAME} 发布成功\\n\\n- 构建编号: ${BUILD_NUMBER}\\n- 镜像版本: ${BUILD_TAG}\\n- 提交人: ${GIT_AUTHOR}\\n- 提交信息: ${GIT_COMMIT_MSG}"
}
}'
"""
}
}
failure {
script {
echo "=== 流水线执行失败 ==="
// 自动回滚
withKubeConfig([credentialsId:"${K8S_CREDENTIALS}"]) {
sh """
if [ "${env.BRANCH_NAME}" == "master" ]; then
echo "执行自动回滚"
kubectl rollout undo deployment/${PROJECT_NAME} \
-n ${K8S_NAMESPACE_PROD}
fi
"""
}
// 发送告警通知
sh """
curl -X POST 'https://oapi.dingtalk.com/robot/send?access_token=YOUR_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"msgtype": "text",
"text": {
"content": "【告警】${PROJECT_NAME} 发布失败! 构建编号: ${BUILD_NUMBER}, 请及时处理!"
},
"at": {
"isAtAll": true
}
}'
"""
}
}
always {
// 清理构建缓存
cleanWs()
}
}
}第三阶段:Kubernetes部署配置(Day 5-6)
1. Kubernetes部署清单
创建应用的Kubernetes部署配置:
# k8s/deployment.yaml - Kubernetes部署配置
apiVersion:apps/v1
kind:Deployment
metadata:
name:demo-app
namespace:production
labels:
app:demo-app
spec:
replicas:3
strategy:
type:RollingUpdate
rollingUpdate:
maxSurge:1
maxUnavailable:0
selector:
matchLabels:
app:demo-app
template:
metadata:
labels:
app:demo-app
spec:
containers:
-name:demo-app
image:harbor.company.com/production/demo-app:latest
ports:
-containerPort:8080
name:http
env:
-name:JAVA_OPTS
value:"-Xms512m -Xmx1024m"
-name:SPRING_PROFILES_ACTIVE
value:"production"
resources:
requests:
memory:"512Mi"
cpu:"500m"
limits:
memory:"1Gi"
cpu:"1000m"
livenessProbe:
httpGet:
path:/actuator/health/liveness
port:8080
initialDelaySeconds:60
periodSeconds:10
timeoutSeconds:5
failureThreshold:3
readinessProbe:
httpGet:
path:/actuator/health/readiness
port:8080
initialDelaySeconds:30
periodSeconds:5
timeoutSeconds:3
failureThreshold:3
volumeMounts:
-name:config
mountPath:/app/config
-name:logs
mountPath:/app/logs
volumes:
-name:config
configMap:
name:demo-app-config
-name:logs
emptyDir: {}
imagePullSecrets:
-name:harbor-secret
---
apiVersion:v1
kind:Service
metadata:
name:demo-app
namespace:production
spec:
type:LoadBalancer
selector:
app:demo-app
ports:
-protocol:TCP
port:80
targetPort:8080
---
apiVersion:v1
kind:ConfigMap
metadata:
name:demo-app-config
namespace:production
data:
application.yaml:|
server:
port: 8080
spring:
datasource:
url: jdbc:mysql://mysql:3306/demo
username: demo_user
password: ${DB_PASSWORD}
logging:
level:
root: INFO2. 部署脚本
#!/bin/bash
# deploy_k8s.sh - Kubernetes部署脚本
set -e
NAMESPACE="production"
APP_NAME="demo-app"
echo"=== 开始部署到Kubernetes ==="
# 创建命名空间
kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
# 创建Harbor镜像拉取密钥
kubectl create secret docker-registry harbor-secret \
--docker-server=harbor.company.com \
--docker-username=admin \
--docker-password=Harbor12345 \
--namespace=${NAMESPACE} \
--dry-run=client -o yaml | kubectl apply -f -
# 应用部署配置
kubectl apply -f k8s/deployment.yaml
# 等待部署完成
echo"等待Deployment就绪..."
kubectl rollout status deployment/${APP_NAME} -n ${NAMESPACE} --timeout=5m
# 查看部署状态
echo""
echo"=== 部署完成,当前状态 ==="
kubectl get pods -n ${NAMESPACE} -l app=${APP_NAME}
kubectl get svc -n ${NAMESPACE}${APP_NAME}
echo""
echo"=== 访问地址 ==="
kubectl get svc ${APP_NAME} -n ${NAMESPACE} -o jsonpath='{.status.loadBalancer.ingress[0].ip}'第四阶段:监控与告警(Day 7)
1. Prometheus监控配置
# prometheus-config.yaml - Prometheus配置
apiVersion:v1
kind:ConfigMap
metadata:
name:prometheus-config
namespace:monitoring
data:
prometheus.yml:|
global:
scrape_interval: 15s
evaluation_interval: 15s
alerting:
alertmanagers:
-static_configs:
-targets:
-alertmanager:9093
rule_files:
-/etc/prometheus/rules/*.yml
scrape_configs:
# Jenkins监控
-job_name:'jenkins'
metrics_path:'/prometheus'
static_configs:
-targets:
-jenkins:8080
# Kubernetes监控
-job_name:'kubernetes-pods'
kubernetes_sd_configs:
-role:pod
relabel_configs:
-source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action:keep
regex:true
-source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action:replace
target_label:__metrics_path__
regex:(.+)
-source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action:replace
regex:([^:]+)(?::\d+)?;(\d+)
replacement:$1:$2
target_label:__address__2. Grafana Dashboard配置
#!/bin/bash
# setup_monitoring.sh - 监控系统部署
set -e
echo"=== 部署Prometheus和Grafana ==="
# 创建监控命名空间
kubectl create namespace monitoring
# 部署Prometheus
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
namespace: monitoring
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
spec:
containers:
- name: prometheus
image: prom/prometheus:latest
ports:
- containerPort: 9090
volumeMounts:
- name: config
mountPath: /etc/prometheus
- name: data
mountPath: /prometheus
volumes:
- name: config
configMap:
name: prometheus-config
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: prometheus
namespace: monitoring
spec:
type: NodePort
selector:
app: prometheus
ports:
- port: 9090
targetPort: 9090
nodePort: 30090
EOF
# 部署Grafana
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
namespace: monitoring
spec:
replicas: 1
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
containers:
- name: grafana
image: grafana/grafana:latest
ports:
- containerPort: 3000
env:
- name: GF_SECURITY_ADMIN_PASSWORD
value: "admin123"
---
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: monitoring
spec:
type: NodePort
selector:
app: grafana
ports:
- port: 3000
targetPort: 3000
nodePort: 30030
EOF
echo"=== 监控系统部署完成 ==="
echo"Prometheus: http://YOUR_IP:30090"
echo"Grafana: http://YOUR_IP:30030 (admin/admin123)"实践案例:某互联网公司DevOps落地全过程
核心配置要点
1. 多环境管理策略
// 环境配置映射
def envConfig = [
'dev': [
namespace:'development',
replicas:1,
approvalRequired:false
],
'test': [
namespace:'testing',
replicas:2,
approvalRequired:false
],
'prod': [
namespace:'production',
replicas:3,
approvalRequired:true
]
]
// 根据分支自动选择环境
def targetEnv = env.BRANCH_NAME == 'master' ? 'prod' :
env.BRANCH_NAME == 'develop' ? 'test' : 'dev'2. 金丝雀发布策略
# 金丝雀发布配置
apiVersion:apps/v1
kind:Deployment
metadata:
name:demo-app-canary
spec:
replicas:1# 先发布1个实例
selector:
matchLabels:
app:demo-app
version:canary
---
# 主版本保持不变
apiVersion:apps/v1
kind:Deployment
metadata:
name:demo-app-stable
spec:
replicas:3
selector:
matchLabels:
app:demo-app
version:stable3. 自动回滚机制
# 回滚脚本
#!/bin/bash
rollback_deployment() {
local APP=$1
local NAMESPACE=$2
echo"检测到异常,执行自动回滚"
kubectl rollout undo deployment/${APP} -n ${NAMESPACE}
kubectl rollout status deployment/${APP} -n ${NAMESPACE}
# 发送告警通知
send_alert "应用${APP}已自动回滚到上一个版本"
}
# 健康检查失败时触发回滚
if ! check_health; then
rollback_deployment "demo-app""production"
fi高级功能扩展
1. 多云部署支持
// 支持AWS、阿里云、腾讯云等多云部署
stage('多云部署') {
parallel {
stage('部署到AWS') {
steps {
sh 'kubectl --context=aws-prod apply -f k8s/'
}
}
stage('部署到阿里云') {
steps {
sh 'kubectl --context=aliyun-prod apply -f k8s/'
}
}
}
}2. 蓝绿部署
#!/bin/bash
# 蓝绿部署脚本
blue_green_deploy() {
local NEW_VERSION=$1
# 部署绿色环境
kubectl apply -f deployment-green.yaml
kubectl set image deployment/app-green app=app:${NEW_VERSION}
kubectl rollout status deployment/app-green
# 验证绿色环境
if smoke_test "http://app-green"; then
# 切换流量到绿色环境
kubectl patch service app -p '{"spec":{"selector":{"version":"green"}}}'
echo"切换成功"
else
echo"验证失败,保持蓝色环境"
exit 1
fi
}3. 自动化性能测试
stage('性能测试') {
steps {
sh '''
# 使用JMeter进行压测
jmeter -n -t test-plan.jmx \
-l result.jtl \
-j jmeter.log
# 分析结果
python analyze_perf.py result.jtl
'''
}
}安全加固建议
1. 密钥管理
使用Vault或Kubernetes Secrets管理敏感信息:
# 创建加密的Secret
kubectl create secret generic db-credentials \
--from-literal=username=admin \
--from-literal=password=SecurePassword1232. 镜像安全扫描
集成Trivy或Clair进行镜像漏洞扫描:
stage('镜像安全扫描') {
steps {
sh '''
trivy image --severity HIGH,CRITICAL \
${IMAGE_NAME}:${BUILD_TAG}
'''
}
}3. 网络隔离
使用NetworkPolicy限制Pod间通信:
apiVersion:networking.k8s.io/v1
kind:NetworkPolicy
metadata:
name:app-network-policy
spec:
podSelector:
matchLabels:
app:demo-app
policyTypes:
-Ingress
-Egress
ingress:
-from:
-podSelector:
matchLabels:
role:frontend
ports:
-protocol:TCP
port:8080成本优化策略
-
- 资源配额管理:为每个命名空间设置ResourceQuota
-
- 自动伸缩:使用HPA根据负载自动调整副本数
-
- 定时任务:非生产环境在夜间自动缩容
-
- 镜像清理:定期清理Harbor中的旧镜像
#!/bin/bash
镜像清理脚本
harbor_cleanup() {
保留最近30天的镜像,删除其他
curl -u admin:password -X POST \"http://harbor.company.com/api/v2.0/system/gc/schedule"
-H "Content-Type: application/json"
-d '{
"schedule": {
"type": "Daily",
"cron": "0 2 * * *"
},
"parameters": {
"delete_untagged": true,
"dry_run": false
}
}'
}