16-k8s镜像仓库-单master¶
什么是Harbor¶
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
Harbor是一个企业级的注册服务器(registry),用于保存和管理docker的镜像文件。Harbor主要提供 Dcoker Registry 的WEB管理界面,同时支持多个注册服务器之间进行镜像同步,还提供了高级的安全特性,如用户管理、访问控制和活动审计。
官网地址:https://github.com/goharbor/harbor
harbor上传镜像¶
我们可以将本地自己制作的镜像上传到harbor镜像仓库
首先我们拉取最新的nginx镜像
[root@master1 ~]# docker pull nginx
我们基于最新的nginx镜像来进行打tags
[root@master1 ~]# docker tag nginx:latest 192.168.1.22/library/mynginx:v1
我们需要配置docker的harbor仓库的地址
cat >/etc/docker/daemon.json<<EOF
{
"registry-mirrors": ["https://1v0q5mvy.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.1.22"]
}
EOF
systemctl daemon-reload
systemctl restart docker
systemctl status docker
先登录远程harbor仓库 默认账户密码为:admin Harbor12345
[root@master1 ~]# docker login 192.168.1.22
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
将镜像推送到远程harbor仓库
docker push 192.168.1.22/library/mynginx:v1
登录harbor仓库,我们成功看到镜像已经上传到harbor仓库
最后我们删除master节点上的镜像
docker rmi -f 192.168.1.22/library/mynginx:v1
harbor客户端配置¶
我们登录任意一个node节点,然后开始配置harbor仓库地址
cat >/etc/docker/daemon.json<<\EOF
{
"registry-mirrors":["https://rsbud4vc.mirror.aliyuncs.com","https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hub-mirror.c.163.com","http://qtid6917.mirror.aliyuncs.com", "https://rncxm540.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.1.22"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
systemctl daemon-reload
systemctl restart docker
systemctl status docker
我们开始拉取本地仓库公共区域的镜像
docker pull 192.168.1.22/library/mynginx:v1
最终我们测试可以拉取成功
[root@node1 ~]# docker images|grep nginx
192.168.1.22/library/mynginx v1 605c77e624dd 3 months ago 141MB
最后删除拉取的镜像即可
docker rmi -f 192.168.1.22/library/mynginx:v1
k8s验证本地镜像仓库¶
我们如果想让k8s集群从本地仓库拉取镜像,那么就需要在所有节点都要配置
cat >/etc/docker/daemon.json<<\EOF
{
"registry-mirrors":["https://rsbud4vc.mirror.aliyuncs.com","https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hub-mirror.c.163.com","http://qtid6917.mirror.aliyuncs.com", "https://rncxm540.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.1.22"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
systemctl daemon-reload
systemctl restart docker
systemctl status docker
我们创建一个mynginx-deployment.yml文件
cat >mynginx-deployment.yaml<<\EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: mynginx-deployment
labels:
app: mynginx
spec:
replicas: 3
selector:
matchLabels:
app: mynginx
template:
metadata:
labels:
app: mynginx
spec:
containers:
- name: mynginx
image: 192.168.1.22/library/mynginx:v1
ports:
- containerPort: 80
EOF
开始应用这个mynginx-deployment的资源清单
kubectl apply -f mynginx-deployment.yaml
查看创建的情况
[root@master1 ~]# kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
mynginx-deployment 3/3 3 3 19s
[root@master1 ~]# kubectl get pod|grep mynginx
mynginx-deployment-97df45c67-mvh2z 1/1 Running 0 39s
mynginx-deployment-97df45c67-pcvrv 1/1 Running 0 39s
mynginx-deployment-97df45c67-t6x98 1/1 Running 0 39s
当然测试完毕后我们不要忘记清理环境
kubectl delete -f mynginx-deployment.yaml