簡介
JumpServer是一款免費開源的堡壘機,可以幫助企業(yè)以更安全的方式管控和登錄各種類型的資產(chǎn)。
JumpServer 堡壘機支持事前授權(quán)、事中監(jiān)察、事后審計,滿足等保合規(guī)要求。
使用Helm安裝JumpServer
在K8s上部署MySQL
由于JumpServer需要使用外部MySQL,因此需要自己配置
添加Helm源 helm repo add bitnami https://charts.bitnami.com/bitnami
下載MySQL Helm Chart
helm fetch bitnami/mysql
tar -xf mysql-9.12.3.tgz [root@node1 jumpserver] [root@node1 mysql] Chart.lock charts Chart.yaml README.md templates values.schema.json values.yaml
修改其中的values.yaml文件,內(nèi)容如下
global: imageRegistry: "" imagePullSecrets: [] storageClass: "csi-rbd-sc" auth: rootPassword: "mysql_password" createDatabase: true database: "jumpserver" username: "jms" password: "jms_password" livenessProbe: enabled: true initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 10 failureThreshold: 3 successThreshold: 1 readinessProbe: enabled: true initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 10 failureThreshold: 3 successThreshold: 1 startupProbe: enabled: true initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 10 failureThreshold: 10 successThreshold: 1
創(chuàng)建名稱空間
創(chuàng)建名稱空間kms,后面的服務都部署在該名稱空間下
kubectl create ns jms
部署MySQL
helm install jms-mysql . -f values.yaml -n jms
在k8s上部署redis
由于JumpServer需要使用外部redis,因此也需要自己配置
下載Redis Helm Chart
helm fetch bitnami/redis
tar -xf redis-18.0.4.tgz [root@node1 jumpserver] [root@node1 redis] Chart.lock charts Chart.yaml img README.md templates values.schema.json values.yaml
修改values.yaml文件內(nèi)容如下
global: imageRegistry: "" imagePullSecrets: [] storageClass: "csi-rbd-sc" redis: password: "redis_password"
應用Chart
helm install jms-redis . -f values.yaml -n jms
查看Pod
[root@node1 redis] NAME READY STATUS RESTARTS AGE jms-mysql-0 1/1 Running 0 14m jms-redis-master-0 1/1 Running 0 3m5s jms-redis-replicas-0 1/1 Running 0 3m5s jms-redis-replicas-1 1/1 Running 0 119s jms-redis-replicas-2 1/1 Running 0 77s
部署JumpServer
添加Helm源
helm repo add jumpserver https://jumpserver.github.io/helm-charts
搜索JumpServer Helm Chart
[root@node1 jumpserver] NAME CHART VERSION APP VERSION DESCRIPTION jumpserver/jumpserver 3.8.1 v3.8.1 A Helm chart for Deploying Jumpserver on K
ubern...
下載Helm Chart 以便修改其中的values.yml
helm fetch jumpserver/jumpserver
如果上一步下載網(wǎng)速慢無法下載的話可以克隆github項目
git clone https://github.com/jumpserver/helm-charts.git
修改values.yaml
[root@node1 jumpserver] /root/jumpserver/helm-charts/charts/jumpserver [root@node1 jumpserver] Chart.yaml configs README.md templates values.yaml
修改values.yaml內(nèi)容如下
[root@node1 ~] 2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih [root@node1 ~] wF3NSIDTGGtO22cUNwBRV808 global: imageRegistry: "docker.io" imageTag: v3.8.1 imagePullSecrets: [] storageClass: "csi-rbd-sc" externalDatabase: engine: mysql host: jms-mysql port: 3306 user: jms password: "jms_password" database: jumpserver externalRedis: host: localhost port: 6379 password: "redis_password" core: enabled: true labels: app.jumpserver.org/name: jms-core config: secretKey: "2c8jbQPosNKb2pC1iGkFwMHwYwg0XYaykCPiAeO8PccHAixbih" bootstrapToken: "wF3NSIDTGGtO22cUNwBRV808" accessModes: - ReadWriteOnce
應用Chart
該步驟時間可能會較長
helm install jumpserver . -f values.yaml -n jms
查看Pod
[root@node1 ~] NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE jms-mysql ClusterIP 10.96.211.713306/TCP 146m jms-mysql-headless ClusterIP None 3306/TCP 146m jms-redis-headless ClusterIP None 6379/TCP 135m jms-redis-master ClusterIP 10.96.40.37 6379/TCP 135m jms-redis-replicas ClusterIP 10.96.237.101 6379/TCP 135m jumpserver-jms-chen ClusterIP 10.96.66.253 8082/TCP 31m jumpserver-jms-core ClusterIP 10.96.204.210 8080/TCP 31m jumpserver-jms-kael ClusterIP 10.96.236.163 8083/TCP 31m jumpserver-jms-koko ClusterIP 10.96.68.28 5000/TCP,2222/TCP 31m jumpserver-jms-lion ClusterIP 10.96.26.169 8081/TCP 31m jumpserver-jms-magnus ClusterIP 10.96.238.16 33061/TCP,33062/TCP,63790/TCP 31m jumpserver-jms-web ClusterIP 10.96.209.160 80/TCP
31m
查看service
[root@node1 ~] NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE jms-mysql ClusterIP 10.96.211.713306/TCP 131m jms-mysql-headless ClusterIP None 3306/TCP 131m jms-redis-headless ClusterIP None 6379/TCP 120m jms-redis-master ClusterIP 10.96.40.37 6379/TCP 120m jms-redis-replicas ClusterIP 10.96.237.101 6379/TCP 120m jumpserver-jms-chen ClusterIP 10.96.66.253 8082/TCP 16m jumpserver-jms-core ClusterIP 10.96.204.210 8080/TCP 16m jumpserver-jms-kael ClusterIP 10.96.236.163 8083/TCP 16m jumpserver-jms-koko ClusterIP 10.96.68.28 5000/TCP,2222/TCP 16m jumpserver-jms-lion ClusterIP 10.96.26.169 8081/TCP 16m jumpserver-jms-magnus ClusterIP 10.96.238.16 33061/TCP,33062/TCP,63790/TCP 16m jumpserver-jms-web ClusterIP 10.96.209.160 80/TCP
16m
使用Istio暴露jumpserver web服務
創(chuàng)建gateway apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: jumpserver-gateway namespace: istio-system spec: selector: app: istio-ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "jumpserver.myk8s.cn" 應用yaml文件 kubectl apply -f jumpserver-gateway.yaml 創(chuàng)建VirtualService apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: jumpserver-virtualservice namespace: jms spec: hosts: - "jumpserver.myk8s.cn" gateways: - istio-system/jumpserver-gateway http: - match: - uri: prefix: / route: - destination: host: jumpserver-jms-web port: number: 80 應用yaml文件 [root@node1 jumpserver] virtualservice.networking.istio.io/jumpserver-virtualservice created
測試
查看istio ingressgateway的external-ip
[root@node1 jumpserver] NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafana ClusterIP 10.96.234.933000/TCP 13d istio-egressgateway ClusterIP 10.96.24.219 80/TCP,443/TCP 14d istio-ingressgateway LoadBalancer 10.96.174.147 192.168.0.111,192.168.0.222 15021:31848/TCP,80:31657/TCP,20001:31775/TCP,443:30425/TCP,31400:31780/TCP,15443:30671/TCP 14d istiod ClusterIP 10.96.49.69 15010/TCP,15012/TCP,443/TCP,15014/TCP 14d jaeger-collector ClusterIP 10.96.63.79 14268/TCP,14250/TCP,9411/TCP,4317/TCP,4318/TCP 13d kiali ClusterIP 10.96.202.30 20001/TCP,9090/TCP 13d loki-headless ClusterIP None 3100/TCP 13d prometheus ClusterIP 10.96.109.177 9090/TCP 13d tracing ClusterIP 10.96.141.120 80/TCP,16685/TCP 13d zipkin ClusterIP 10.96.225.164 9411/TCP
13d
在需要訪問jumpserver服務的主機上修改hosts,將jumpserver.myk8s.cn解析為external-ip地址,這里解析為192.168.0.111
訪問服務
審核編輯:黃飛
-
MySQL
+關(guān)注
關(guān)注
1文章
809瀏覽量
26574 -
Service
+關(guān)注
關(guān)注
0文章
30瀏覽量
13788
原文標題:K8s部署Jumpserver并使用Istio對外暴露服務
文章出處:【微信號:magedu-Linux,微信公眾號:馬哥Linux運維】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。
發(fā)布評論請先 登錄
相關(guān)推薦
評論