Jenkins作为AKS上的容器- Docker中的Docker方法

ca1c2owp  于 11个月前  发布在  Docker
关注(0)|答案(1)|浏览(200)
We are trying to run jenkins as container in AKS Cluster. For this use case we need to implement docker in docker approach and  have an execution container(present within jenkins slave pod)  to have docker installed in it. 
    And to allow the execution environment/agent/container to run docker commands we need privileged access. 
    
    When we are trying to run docker container in privileged mode. ConstraintTemplate k8sazurev2noprivilege is restricting it  and we are getting error.

Below is the reference of the policy.

    Constraint Template k8sazurev2noprivilege: https://github.com/Azure/azure-policy/blob/master/samples/KubernetesService/container-no-privilege/template.yaml
    
    
Error:
Message: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev2noprivilege-*******] Privileged container is not allowed: custom, securityContext: {"privileged": true}. Received status: Status(apiVersion=v1, code=403, details=null, kind=Status, message=admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev2noprivilege-******] Privileged container is not allowed: custom, securityContext: {"privileged": true}, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={})

字符串
是否有必要在特权模式下运行容器?是否有任何其他可行的方法不需要我们修改Azure策略约束?

cyvaqqii

cyvaqqii1#

在AKS集群中部署Jenkins并集成Docker时,最初可能会考虑使用Docker-in-Docker(DinD),这通常需要在特权模式下运行容器。但是,Azure策略k8sazurev2noprivilege出于安全原因限制了此操作。您可以使用以下命令检查是否在特权模式下运行容器:

docker inspect --format='{{.HostConfig.Privileged}}' [container_id]

字符串
x1c 0d1x的数据
Jérôme Petazzoni的Risks of DIND描述了使用Docker-in-Docker(DinD)的陷阱
以下是符合此政策的替代方法:
你可以使用Docker-Outside-of-Docker(DooD)方法来代替DinD。这涉及到将Jenkins容器连接到主机上的Docker守护进程。你可以通过从主机挂载Docker套接字来实现这一点:

apiVersion: v1
kind: Pod
metadata:
  name: jenkins
spec:
  containers:
  - name: jenkins
    image: jenkins/jenkins:lts
    volumeMounts:
    - name: docker-sock
      mountPath: /var/run/docker.sock
  volumes:
  - name: docker-sock
    hostPath:
      path: /var/run/docker.sock


kubectl get pods



另一种方法是使用Jenkins Kubernetes插件
使用Jenkins Kubernetes插件为每个作业动态创建代理pod。这完全避免了对DinD的需求。
这些替代方案提供了在AKS中使用Docker和Jenkins的方法,而不需要特权容器,因此符合k8sazurev2noprivilege策略。每种方法都有其用例和优点,选择取决于您的特定要求和限制
最后第三种方法是通过使用这个叫做Kaniko的工具

  • 步骤 *:

1.安装Kubernetes plugin in Jenkins.

  1. Configure插件连接到您的AKS集群。
    1.为您的构建定义一个pod template
  • 参考文件:*

Run docker-in-docker container alongside Jenkins
Docker中的Jenkins Docker
Docker之外的Jenkins Docker
DIND Pod Template
Risks of running DIND
Jenkins from DIND to Kaniko字符串
Running containers in privileged mode

相关问题