Jenkins作为AKS上的容器- Docker中的Docker方法

ca1c2owp 于 11个月前发布在 Docker

关注(0)|答案(1)|浏览(199)

We are trying to run jenkins as container in AKS Cluster. For this use case we need to implement docker in docker approach and  have an execution container(present within jenkins slave pod)  to have docker installed in it. 
    And to allow the execution environment/agent/container to run docker commands we need privileged access. 
    
    When we are trying to run docker container in privileged mode. ConstraintTemplate k8sazurev2noprivilege is restricting it  and we are getting error.

Below is the reference of the policy.

    Constraint Template k8sazurev2noprivilege: https://github.com/Azure/azure-policy/blob/master/samples/KubernetesService/container-no-privilege/template.yaml
    
    
Error:
Message: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev2noprivilege-*******] Privileged container is not allowed: custom, securityContext: {"privileged": true}. Received status: Status(apiVersion=v1, code=403, details=null, kind=Status, message=admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev2noprivilege-******] Privileged container is not allowed: custom, securityContext: {"privileged": true}, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={})

字符串
是否有必要在特权模式下运行容器？是否有任何其他可行的方法不需要我们修改Azure策略约束？
。

docker

来源：https://stackoverflow.com/questions/77662819/jenkins-as-a-container-on-aks-docker-in-docker-approach

1条答案

按热度按时间

cyvaqqii1#

在AKS集群中部署Jenkins并集成Docker时，最初可能会考虑使用Docker-in-Docker（DinD），这通常需要在特权模式下运行容器。但是，Azure策略k8sazurev2noprivilege出于安全原因限制了此操作。您可以使用以下命令检查是否在特权模式下运行容器：

docker inspect --format='{{.HostConfig.Privileged}}' [container_id]

字符串
x1c 0d1x的数据
Jérôme Petazzoni的Risks of DIND描述了使用Docker-in-Docker（DinD）的陷阱
以下是符合此政策的替代方法：
你可以使用Docker-Outside-of-Docker（DooD）方法来代替DinD。这涉及到将Jenkins容器连接到主机上的Docker守护进程。你可以通过从主机挂载Docker套接字来实现这一点：

apiVersion: v1
kind: Pod
metadata:
  name: jenkins
spec:
  containers:
  - name: jenkins
    image: jenkins/jenkins:lts
    volumeMounts:
    - name: docker-sock
      mountPath: /var/run/docker.sock
  volumes:
  - name: docker-sock
    hostPath:
      path: /var/run/docker.sock

型

的

kubectl get pods

型

的
另一种方法是使用Jenkins Kubernetes插件
使用Jenkins Kubernetes插件为每个作业动态创建代理pod。这完全避免了对DinD的需求。
这些替代方案提供了在AKS中使用Docker和Jenkins的方法，而不需要特权容器，因此符合k8sazurev2noprivilege策略。每种方法都有其用例和优点，选择取决于您的特定要求和限制
最后第三种方法是通过使用这个叫做Kaniko的工具