当在 Kubernetes 中已经部署很多应用时,后续需要对每个应用的 yaml 文件进行维护操作,这个过程会变的很繁琐,我们可以使用 Helm 来简化这些工作。Helm 是 Kubernetes 的一个包管理工具,用来简化 Kubernetes 应用的部署和管理。
部署 Helm 客户端与服务端
部署客户端
在 github 上Helm Realese 下载最新的二进制文件
$ tar -zxvf helm-v2.11.0-linux-amd64.tar.gz $ mv linux-amd64/helm /usr/local/bin/helm $ helm help
部署服务端(tiller )
$ helm init --upgrade --tiller-image sapcc/tiller:v2.11.0 Creating /root/.helm Creating /root/.helm/repository Creating /root/.helm/repository/cache Creating /root/.helm/repository/local Creating /root/.helm/plugins Creating /root/.helm/starters Creating /root/.helm/cache/archive Creating /root/.helm/repository/repositories.yaml Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com Adding local repo with URL: http://127.0.0.1:8879/charts $HELM_HOME has been configured at /root/.helm. Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster. Please note: by default, Tiller is deployed with an insecure ‘allow unauthenticated users‘ policy. To prevent this, run `helm init` with the --tiller-tls-verify flag. For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation Happy Helming!
备注:在 DockerHub 上找到了同步的镜像 :https://hub.docker.com/r/sapcc/tiller/ 。
查看
$ kubectl get pod -n kube-system -l app=helm
NAME READY STATUS RESTARTS AGE
tiller-deploy-69c9dc58bd-jvzkr 1/1 Running 0 3m2s
$ helm version
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
配置 RBAC
$ vi rbac-config.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
执行
$ kubectl create -f rbac-config.yaml
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$ kubectl patch deploy --namespace kube-system tiller-deploy -p ‘{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}‘
deployment.extensions/tiller-deploy patched
备注:上述我们为 Tiller 管理员提供了对整个群集的访问权限,如果不需要授予 Tiller 集群管理员访问权限,可以指定 Role 和 RoleBinding 来将 Tiller 的范围限制为特定的 namespace 中,官方文档是新建一个 namespace 做的(https://docs.helm.sh/using_helm/#role-based-access-control) 。
REFER:
https://docs.helm.sh/using_helm/
https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/
原文地址:https://www.cnblogs.com/Irving/p/9898033.html
时间: 2024-07-29 23:30:19