Kubernetes容器化 - JumpServer

和sshd的功能类似,这里只是将ssh代理访问和ssh登录进行了分离,JumpServer的作用则是在本地可以实现对远程服务的访问,同时可以方便的进行授权管理、操作回放、审计等。JumpServer需要Mysql和Redis支持,关于Mysql和Redis的容器化安装可查看前面的文章。官网目前给的环境要求:

StatefulSet文件如下,有使用到外部存储用来存储操作回放文件,pv的存储前面配置的较多,可直接使用阿里云的Nas或者磁盘。

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: jumpserver
  labels:
    app: jumpserver
spec:
  serviceName: jumpserver
  replicas: 1
  selector:
    matchLabels:
      app: jumpserver
  template:
    metadata:
      labels:
        app: jumpserver
    spec:
      containers:
      - name: jumpserver
        image: jumpserver/jms_all:v2.11.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: jumpserver
        - containerPort: 2222
          name: ssh
        env:
        - name: SECRET_KEY
          # cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50
          value: iJ2YaSaNLCALNOVSqsw7sgwk3cX5gK6nCcey57UZiujF20I32n
        - name: BOOTSTRAP_TOKEN
          # cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16
          value: S7sLMAH9J0mTaqSZ
        - name: DB_HOST
          value: mysql-js.default.svc.cluster.local
        - name: DB_PORT
          value: "3306"
        - name: DB_USER
          value: jumpserver
        - name: DB_PASSWORD
          value: "password"
        - name: DB_NAME
          value: jumpserver
        - name: REDIS_HOST
          value: redis-js.default.svc.cluster.local
        - name: REDIS_PORT
          value: "6379"
        - name: REDIS_PASSWORD
          value: ""
        volumeMounts:
        - name: jumpserver-pv
          mountPath: /opt/jumpserver/data
        - name: koko-pv
          mountPath: /opt/koko/data
        - name: lion-pv
          mountPath: /opt/lion/data
      volumes:
      - name: jumpserver-pv
        persistentVolumeClaim:
          claimName: jumpserver-pvc
      - name: koko-pv
        persistentVolumeClaim:
          claimName: koko-pvc
      - name: lion-pv
        persistentVolumeClaim:
          claimName: lion-pvc

暴露可以通过Service+Ingress的方式,只需要将站点配置好即可在网页上连接机器。

apiVersion: v1
kind: Service
metadata:
  name: jumpserver
spec:
  selector:
    app: jumpserver
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP

整个过程不需要开放22端口,可理解成配置好站点即可。最后的效果图如下:

-- EOF --
最后更新于: 2021-09-15 08:27
发表于: 2021-07-10 23:14
标签: JumpServer Kubernetes 容器化