一. Kaniko
官网
Kaniko是一个是谷歌开源的一款用来构建容器镜像在k8s集群内构建容器镜像的工具,使用时,需要一个Kubernetes集群, 可以在Kubernetes上无需特权的构建 image,k8s CRI无需docker- 使用后 pull 和 push 镜像很慢
# 首选需要创建一个 Kubernetes secret,其中包含推送到镜像仓库所需的身份验证信息,创建一个secret 类型是 docker-registry, 名字是 docker-harbor
kubectl create secret docker-registry docker-harbor --docker-server=https://harbor.yeemiao.net.cn --docker-username=chenxingguang --docker-password='dw2exs6nD!dfjk122'
从yaml创建
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2hhcmJvci55ZWVtaWFvLm5ldC5jbiI6eyJ1c2VybmFtZSI6ImNoZW54aW5nZ3VhbmciLCJwYXNzd29yZCI6ImR3MmV4czZuRCFkZmprMTIyIiwiYXV0aCI6IlkyaGxibmhwYm1kbmRXRnVaenBrZHpKbGVITTJia1FoWkdacWF6RXlNZz09In19fQ==
kind: Secret
metadata:
name: docker-harbor
namespace: kube-ops
type: kubernetes.io/dockerconfigjson
buildkit
- 可以将Dockerfile写到一个
configmap中, 或者直接在pvc中定义
apiVersion: v1
kind: ConfigMap
metadata:
name: dockerfile
data:
dockerfile: |
FROM nginx:1.21.1-alpine
RUN date > /root/date.log
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
hostAliases:
- ip: 192.168.1.185
hostnames:
- harbor.yeemiao.net.cn
containers:
- name: kaniko
image: daocloud.io/gcr-mirror/kaniko-project-executor:latest
args:
- --dockerfile=/workspace/Dockerfile # Dockerfile位置
- --context=/workspace/ # 上下文
- --skip-tls-verify=true # 跳过https
- --destination=harbor.yeemiao.net.cn/library/flask-web:v1 # 定义镜像名称
volumeMounts:
- name: kaniko-secret
mountPath: /kaniko/.docker
#- name: dockerfile-storage
# mountPath: /workspace
- name: dockerfile
mountPath: /workspace/Dockerfile
readOnly: true
subPath: dockerfile
restartPolicy: Never
volumes:
- name: kaniko-secret
secret:
secretName: docker-harbor
items:
- key: .dockerconfigjson
path: config.json
#- name: dockerfile-storage
# persistentVolumeClaim:
# claimName: dockerfile-claim
- name: dockerfile
configMap:
name: dockerfile
items:
- key: dockerfile
path: dockerfile
