# Kubernetes中怎么安裝Jenkins
## 目錄
1. [前言](#前言)
2. [環境準備](#環境準備)
- [Kubernetes集群要求](#kubernetes集群要求)
- [工具準備](#工具準備)
3. [安裝方式選擇](#安裝方式選擇)
- [Helm Chart安裝](#helm-chart安裝)
- [YAML清單手動部署](#yaml清單手動部署)
4. [使用Helm安裝Jenkins](#使用helm安裝jenkins)
- [添加Jenkins Helm倉庫](#添加jenkins-helm倉庫)
- [自定義values.yaml](#自定義valuesyaml)
- [安裝命令與驗證](#安裝命令與驗證)
5. [手動YAML部署](#手動yaml部署)
- [創建Namespace](#創建namespace)
- [持久化存儲配置](#持久化存儲配置)
- [部署StatefulSet](#部署statefulset)
- [服務暴露](#服務暴露)
6. [初始配置](#初始配置)
- [獲取管理員密碼](#獲取管理員密碼)
- [安裝推薦插件](#安裝推薦插件)
- [創建首個用戶](#創建首個用戶)
7. [高可用配置](#高可用配置)
- [多副本部署](#多副本部署)
- [共享存儲方案](#共享存儲方案)
8. [安全加固](#安全加固)
- [網絡策略](#網絡策略)
- [RBAC配置](#rbac配置)
- [Ingress TLS配置](#ingress-tls配置)
9. [備份與恢復](#備份與恢復)
- [定期備份JENKINS_HOME](#定期備份jenkins_home)
- [使用Velero進行集群備份](#使用velero進行集群備份)
10. [常見問題排查](#常見問題排查)
- [Pod啟動失敗](#pod啟動失敗)
- [插件安裝問題](#插件安裝問題)
11. [最佳實踐](#最佳實踐)
12. [總結](#總結)
## 前言
Jenkins作為最流行的開源CI/CD工具,在云原生時代與Kubernetes的結合已成為現代DevOps流水線的標準配置。本文將全面介紹在Kubernetes集群中部署Jenkins的多種方法,涵蓋從基礎安裝到生產級高可用配置的全套方案。
## 環境準備
### Kubernetes集群要求
- Kubernetes 1.19+ 版本(支持CSI存儲)
- 至少2個可用Worker節點
- 推薦資源配置:
- 每個節點4核CPU/8GB內存
- 50GB持久化存儲空間
- 網絡插件(Calico/Flannel等)正常運行
### 工具準備
```bash
# 必備工具
kubectl version --client
helm version
# 可選工具
kubectx # 集群上下文管理
k9s # 集群可視化工具
優勢: - 一鍵式部署 - 參數可配置化 - 社區維護更新及時
適用場景: - 需要完全控制部署細節 - 定制化需求強烈的環境 - 學習Kubernetes對象關系
helm repo add jenkinsci https://charts.jenkins.io
helm repo update
# values-custom.yaml 示例
controller:
componentName: "jenkins-controller"
image: "jenkins/jenkins:lts-jdk11"
tagLabel: jdk11
resources:
requests:
cpu: "1000m"
memory: "2Gi"
limits:
cpu: "2000m"
memory: "4Gi"
adminUser: "admin"
adminPassword: "admin123"
jenkinsAdminEmail: "admin@example.com"
installPlugins:
- kubernetes:1.31.6
- workflow-aggregator:2.6
- git:4.11.3
ingress:
enabled: true
hostName: "jenkins.example.com"
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
tls:
- secretName: "jenkins-tls"
hosts:
- "jenkins.example.com"
persistence:
enabled: true
size: "50Gi"
storageClass: "standard"
agent:
enabled: true
image: "jenkins/inbound-agent:4.11-1-jdk11"
resources:
requests:
cpu: "500m"
memory: "512Mi"
# 創建命名空間
kubectl create ns jenkins
# 安裝Jenkins
helm install jenkins jenkinsci/jenkins -n jenkins -f values-custom.yaml
# 查看安裝狀態
kubectl -n jenkins get pods -w
# 獲取訪問密碼
kubectl -n jenkins exec -it svc/jenkins -- cat /var/jenkins_home/secrets/initialAdminPassword
# 端口轉發臨時訪問
kubectl -n jenkins port-forward svc/jenkins 8080:8080
# jenkins-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: jenkins
labels:
name: jenkins
# jenkins-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc
namespace: jenkins
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
storageClassName: standard
# jenkins-sts.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: jenkins
namespace: jenkins
spec:
serviceName: jenkins
replicas: 1
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
securityContext:
fsGroup: 1000
containers:
- name: jenkins
image: jenkins/jenkins:lts-jdk11
ports:
- containerPort: 8080
name: http
- containerPort: 50000
name: agent
resources:
limits:
cpu: "2"
memory: "4Gi"
requests:
cpu: "1"
memory: "2Gi"
volumeMounts:
- name: jenkins-home
mountPath: /var/jenkins_home
env:
- name: JAVA_OPTS
value: "-Djenkins.install.runSetupWizard=false"
volumeClaimTemplates:
- metadata:
name: jenkins-home
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 50Gi
# jenkins-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: jenkins
namespace: jenkins
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
name: http
- port: 50000
targetPort: 50000
name: agent
selector:
app: jenkins
---
# jenkins-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jenkins
namespace: jenkins
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
rules:
- host: "jenkins.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jenkins
port:
number: 8080
tls:
- hosts:
- jenkins.example.com
secretName: jenkins-tls
# 對于Helm安裝
kubectl get secret -n jenkins jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode
# 對于手動部署
kubectl -n jenkins exec -it jenkins-0 -- cat /var/jenkins_home/secrets/initialAdminPassword
基礎插件列表: - Kubernetes Plugin - Pipeline - Blue Ocean - Git - Docker Pipeline - Config File Provider
批量安裝方法:
// 通過Groovy腳本初始化安裝
import jenkins.model.*
import java.util.logging.Logger
def logger = Logger.getLogger("")
def installed = false
def initialized = false
def pluginParameter = "kubernetes:1.31.6 workflow-aggregator:2.6 git:4.11.3"
def plugins = pluginParameter.split()
logger.info("" + plugins)
def instance = Jenkins.getInstance()
def pm = instance.getPluginManager()
def uc = instance.getUpdateCenter()
uc.updateAllSites()
plugins.each {
logger.info("Checking " + it)
def (name, version) = it.split(':')
if (!pm.getPlugin(name)) {
logger.info("Looking UpdateCenter for " + it)
if (!initialized) {
uc.updateAllSites()
initialized = true
}
def plugin = uc.getPlugin(name, version)
if (plugin) {
logger.info("Installing " + it)
def installFuture = plugin.deploy()
while(!installFuture.isDone()) {
logger.info("Waiting for plugin install: " + name)
sleep(3000)
}
installed = true
}
}
}
if (installed) {
logger.info("Plugins installed, initializing a restart!")
instance.save()
instance.restart()
}
# 在values.yaml中修改
controller:
replicaCount: 2
disableRememberMe: false
numExecutors: 0 # 建議設置為0,使用Kubernetes動態agent
推薦方案: 1. NFS動態供給 2. CephFS/Rook 3. 云提供商共享存儲(如AWS EFS)
persistence:
enabled: true
storageClass: "nfs-client"
accessMode: "ReadWriteMany"
# jenkins-networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: jenkins
namespace: jenkins
spec:
podSelector:
matchLabels:
app: jenkins
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
role: ci-cd
ports:
- port: 8080
protocol: TCP
egress:
- to:
- namespaceSelector:
matchLabels:
role: kube-system
ports:
- port: 53
protocol: UDP
# jenkins-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jenkins
namespace: jenkins
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
namespace: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins
# 創建備份PVC
kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-backup
namespace: jenkins
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
EOF
# 創建CronJob
kubectl apply -f - <<EOF
apiVersion: batch/v1
kind: CronJob
metadata:
name: jenkins-backup
namespace: jenkins
spec:
schedule: "0 2 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: alpine
command:
- /bin/sh
- -c
- |
apk add --no-cache rsync && \
rsync -avz --delete /source/ /backup/$(date +\%Y\%m\%d)/
volumeMounts:
- name: jenkins-home
mountPath: /source
- name: backup-volume
mountPath: /backup
restartPolicy: OnFailure
volumes:
- name: jenkins-home
persistentVolumeClaim:
claimName: jenkins-pvc
- name: backup-volume
persistentVolumeClaim:
claimName: jenkins-backup
EOF
常見錯誤:
Error: failed to start container "jenkins":
Error response from daemon: OCI runtime create failed:
container_linux.go:380: starting container process caused:
process_linux.go:545: container init caused:
rootfs_linux.go:76: mounting "/var/lib/kubelet/pods/.../volumes/kubernetes.io~secret/default-token-xxx"
to rootfs at "/var/run/secrets/kubernetes.io/serviceaccount"
caused: mount through procfd: permission denied: unknown
解決方案:
# 在Pod spec中添加
securityContext:
fsGroup: 1000
runAsUser: 1000
資源隔離:為Jenkins Master和Agent配置獨立的Namespace
插件管理:
構建優化:
監控集成:
# Prometheus監控示例
controller:
prometheus:
enabled: true
scrapeInterval: 60s
scrapeEndpoint: "/prometheus"
