Kubernetes-Jenkins集成 [英] Kubernetes - Jenkins integration
问题描述
我已经使用kubeadm Kubernetes 1.9 RBAC集群进行了自举,并开始在基于jenkins/jenkins:lts的POD Jenkins内部.我想尝试 https://github.com/jenkinsci/kubernetes-plugin . 我已经根据> https://gist.github.com/lachie83/17c1fff4eb58cf75c5fb11a4
I've bootstrapped with kubeadm Kubernetes 1.9 RBAC cluster and I've started inside a POD Jenkins based on jenkins/jenkins:lts. I would like to try out https://github.com/jenkinsci/kubernetes-plugin . I have already created a serviceaccount based on the proposal in https://gist.github.com/lachie83/17c1fff4eb58cf75c5fb11a4957a64d2
> kubectl -n dev-infra create sa jenkins
> kubectl create clusterrolebinding jenkins --clusterrole cluster-admin --serviceaccount=dev-infra:jenkins
> kubectl -n dev-infra get sa jenkins -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-02-16T12:06:26Z
name: jenkins
namespace: dev-infra
resourceVersion: "1295580"
selfLink: /api/v1/namespaces/dev-infra/serviceaccounts/jenkins
uid: d040041c-1311-11e8-a4f8-005056039a14
secrets:
- name: jenkins-token-vmt79
> kubectl -n dev-infra get secret jenkins-token-vmt79 -o yaml
apiVersion: v1
data:
ca.crt: LS0tL...0tLQo=
namespace: ZGV2LWluZnJh
token: ZXlK...tdVE=
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: jenkins
kubernetes.io/service-account.uid: d040041c-1311-11e8-a4f8-005056039a14
creationTimestamp: 2018-02-16T12:06:26Z
name: jenkins-token-vmt79
namespace: dev-infra
resourceVersion: "1295579"
selfLink: /api/v1/namespaces/dev-infra/secrets/jenkins-token-vmt79
uid: d041fa6c-1311-11e8-a4f8-005056039a14
type: kubernetes.io/service-account-token
此后,我去Manage Jenkins->配置系统->云-> Kubernetes,并将Kubernetes URL设置为我也在kubectl KUBECONFIG服务器中使用的Cluster API:url:port.
After that I go to Manage Jenkins -> Configure System -> Cloud -> Kubernetes and set the Kubernetes URL to the Cluster API that I use also in my kubectl KUBECONFIG server: url:port.
当我点击测试连接时,我得到错误测试连接 https://url:port :执行失败:GET网址: https://url:port/api/v1/namespaces/dev-消息:禁止!配置的服务帐户无权访问.服务帐户可能已被吊销.pods被禁止:用户"system:serviceaccount:dev-infra:default"无法在名称空间中列出pods "dev-infra".
When I hit test connection I get "Error testing connection https://url:port: Failure executing: GET at: https://url:port/api/v1/namespaces/dev-infra/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods is forbidden: User "system:serviceaccount:dev-infra:default" cannot list pods in the namespace "dev-infra".
我不想给dev-infra:default用户一个集群管理员角色,并且我想使用我创建的jenkins sa.我不明白如何在Jenkins中配置凭据.当我点击添加凭据时,在 https://github.com/jenkinsci /kubernetes-plugin/blob/master/configuration.png 我知道
I don't want to give to the dev-infra:default user a cluster-admin role and I want to use the jenkins sa I created. I can't understand how to configure the credentials in Jenkins. When I hit add credentials on the https://github.com/jenkinsci/kubernetes-plugin/blob/master/configuration.png I get
<select class="setting-input dropdownList">
<option value="0">Username with password</option>
<option value="1">Docker Host Certificate Authentication</option>
<option value="2">Kubernetes Service Account</option>
<option value="3">OpenShift OAuth token</option>
<option value="4">OpenShift Username and Password</option>
<option value="5">SSH Username with private key</option>
<option value="6">Secret file</option>
<option value="7">Secret text</option>
<option value="8">Certificate</option></select>
我找不到一个清晰的示例,如何配置Jenkins Kubernetes Cloud连接器以使用我的Jenkins对服务帐户jenkins进行身份验证. 您能否帮助我找到分步指南-我需要哪种凭证?
I could not find a clear example how to configure Jenkins Kubernetes Cloud connector to use my Jenkins to authenticate with service account jenkins. Could you please help me to find step-by-step guide - what kind of of credentials I need?
关于, 帕维尔
推荐答案
最佳做法是使用您创建的serviceaccount
启动您的Jenkins主容器,而不是在Jenkins中创建凭据
The best practice is to launch you Jenkins master pod with the serviceaccount
you created, instead of creating credentials in Jenkins
这篇关于Kubernetes-Jenkins集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!