[英]Run kubectl inside dockerimage
I have application with a DockerFile.我有一个 DockerFile 的应用程序。 This DockerFile needs to run a shell script that have curl commands and kubectl commands.
此 DockerFile 需要运行具有 curl 命令和 kubectl 命令的 shell 脚本。
I have designed the dockerFile as我将 dockerFile 设计为
FROM ubuntu:16.04
WORKDIR /build
RUN apt-get update && apt-get install -y curl && apt-get install -y jq
COPY ./ ./
RUN chmod +x script.sh
ENTRYPOINT ["./script.sh"]
The script.sh
file is what contains curl commands and kubectl command. script.sh
文件包含 curl 命令和 kubectl 命令。
If you see I have installed curl command inside the docker container using command RUN apt-get update && apt-get install -y curl
如果你看到我已经在 docker 容器中安装了 curl 命令,使用命令
RUN apt-get update && apt-get install -y curl
What do I need to do in order to run kubectl commands?为了运行 kubectl 命令,我需要做什么? Becase when I build and the run the above image, it throws an error saying
kubectl: command not found
.因为当我构建并运行上面的图像时,它会抛出一个错误,说
kubectl: command not found
。
Can anyone help me with this?谁能帮我这个?
Instead of installing using apt-get, you can download the binary place whatever you want and use it.您可以下载任何您想要的二进制文件并使用它,而不是使用 apt-get 安装。
This will give you more control under it and less chances to have problems in the future.这将使您有更多的控制权,并且将来出现问题的机会更少。
Steps on how to download it from the official repository can be fount in the documentation .有关如何从官方存储库下载它的步骤可以在文档中找到。
Download the latest release with the command:使用以下命令下载最新版本:
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
To download a specific version, replace the $(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)
portion of the command with the specific version.要下载特定版本,请将命令的
$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)
部分替换为特定版本。
For example, to download version v1.18.0 on Linux, type:例如,要在 Linux 上下载版本 v1.18.0,请键入:
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.18.0/bin/linux/amd64/kubectl
Make the kubectl binary executable.使 kubectl 二进制可执行文件。
chmod +x./kubectl
Move the binary in to your PATH.将二进制文件移动到您的 PATH 中。
sudo mv./kubectl /usr/local/bin/kubectl
Test to ensure the version you installed is up-to-date:测试以确保您安装的版本是最新的:
kubectl version --client
Considering this, you can have a Dockerfile similar to this:考虑到这一点,您可以拥有一个类似于此的 Dockerfile:
FROM debian:buster
RUN apt update && \
apt install -y curl && \
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && \
chmod +x ./kubectl && \
mv ./kubectl /usr/local/bin/kubectl
CMD kubectl get po
After this we can create a pod using the following manifest:在此之后,我们可以使用以下清单创建一个 pod:
apiVersion: v1
kind: Pod
metadata:
name: internal-kubectl
spec:
containers:
- name: internal-kubectl
image: myrep/internal-kubectl:latest
command: ['sh', '-c', "kubectl get pod; sleep 36000"]
Running this pod is going to give you an error and this will happen because you don't have the necessary RBAC rules created.运行这个 pod 会给你一个错误,这会发生,因为你没有创建必要的RBAC规则。
The way to tell Kubernetes that we want this pod to have an identity that can list the pods is through the combination of a few different resources…告诉 Kubernetes 我们希望这个 pod 有一个可以列出 pod 的身份的方法是通过几个不同资源的组合......
apiVersion: v1
kind: ServiceAccount
metadata:
name: internal-kubectl
The identity object that we want to assign to our pod will be a service account.我们要分配给我们的 pod 的身份 object 将是一个服务帐户。 But by itself it has no permissions.
但它本身没有权限。 That's where roles come in.
这就是角色发挥作用的地方。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: modify-pods
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- delete
The role above specifies that we want to be able to get, list, and delete pods.上面的角色指定我们希望能够获取、列出和删除 pod。 But we need a way to correlate our new service account with our new role.
但是我们需要一种方法来将我们的新服务帐户与我们的新角色相关联。 Role bindings are the bridges for that…
角色绑定是实现这一目标的桥梁……
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: modify-pods-to-sa
subjects:
- kind: ServiceAccount
name: internal-kubectl
roleRef:
kind: Role
name: modify-pods
apiGroup: rbac.authorization.k8s.io
This role binding connects our service account to the role that has the permissions we need.此角色绑定将我们的服务帐户连接到具有我们所需权限的角色。 Now we just have to modify our pod config to include the service account…
现在我们只需要修改我们的 pod 配置以包含服务帐户......
apiVersion: v1
kind: Pod
metadata:
name: internal-kubectl
spec:
serviceAccountName: internal-kubectl
containers:
- name: internal-kubectl
image: myrep/internal-kubectl:latest
command: ['sh', '-c', "kubectl get pod; sleep 36000"]
By specifying spec.serviceAccountName this changes us from using the default service account to our new one that has the correct permissions.通过指定 spec.serviceAccountName 这将我们从使用默认服务帐户更改为具有正确权限的新帐户。 Running our new pod we should see the correct output…
运行我们的新 pod,我们应该会看到正确的输出……
$ kubectl logs internal-kubectl
NAME READY STATUS RESTARTS AGE
internal-kubectl 1/1 Running 1 5s
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.