以公有雲(GCP)為範例的OpenShift 私有GitLab專案化範例元件部屬與管理

--- title: '以公有雲(GCP)為範例的OpenShift 私有GitLab專案化範例元件部屬與管理' disqus: hackmd --- 以公有雲(GCP)為範例的OpenShift 私有GitLab專案化範例元件部屬與管理 === ## 索引 [TOC] ## 注意事項 * 由於此範例以私有的Gitlab為主，因此可以不必先建立專案後再添加群集管理，可直接進行設定 * 在此範例中由於部屬的服務並非針對多專案或是特定專案，僅用於測試，因此刻意給其特定專案來進行部屬相關測試 ## 流程 ```plantuml start :部屬Openshift至GCP; :OpenShift安裝nginx Operator; :部屬Nnginx Ingress Controller; note 這個部分主要是為了讓其可以與一般Kubernetes兼容 end note :設定GCP與DNS紀錄(針對Nginx); :GitLab專案管理基礎服務部屬; :完成測試元件部屬; ``` ## 取得之前部屬結果的專案結果 ``` m0724001@m0724001-virtual-machine:~/openshift_install$ ./openshift-install create cluster INFO Credentials loaded from gcloud CLI defaults INFO Consuming Install Config from target directory INFO Creating infrastructure resources... INFO Waiting up to 20m0s for the Kubernetes API at https://api.openshift-cluster.gcp.fuzetea.xyz:6443... INFO API v1.21.1+a620f50 up INFO Waiting up to 30m0s for bootstrapping to complete... INFO Destroying the bootstrap resources... INFO Waiting up to 40m0s for the cluster at https://api.openshift-cluster.gcp.fuzetea.xyz:6443 to initialize... INFO Waiting up to 10m0s for the openshift-console route to be created... INFO Install complete! INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/m0724001/openshift_install/auth/kubeconfig' INFO Access the OpenShift web-console here: https://console-openshift-console.apps.openshift-cluster.gcp.fuzetea.xyz INFO Login to the console with user: "kubeadmin", and password: "bx5G8-bSJY8-R2jPS-Fqxk4" INFO Time elapsed: 29m26s ``` ![](https://i.imgur.com/kFKkuQ5.png) 管理介面 ## OpenShift安裝nginx Operator ![](https://i.imgur.com/tq1ZnnR.png) ![](https://i.imgur.com/hrELqBg.png) ![](https://i.imgur.com/VUAzKUH.png) ![](https://i.imgur.com/ozFmEv1.png) ![](https://i.imgur.com/uG2CPA1.png) ![](https://i.imgur.com/F2YGzJG.png) ## 部屬Nnginx Ingress Controller ![](https://i.imgur.com/wZfWnqn.png) ![](https://i.imgur.com/fFbuWjv.png) ![](https://i.imgur.com/y5up9JB.png) ![](https://i.imgur.com/FlZcMuA.png) ![](https://i.imgur.com/5rsDCne.png) ![](https://i.imgur.com/RYZC2vl.png) ![](https://i.imgur.com/9nnSyw2.png) ![](https://i.imgur.com/OGTfoch.png) ## 設定GCP與DNS紀錄(針對Nginx) ``` m0724001@m0724001-virtual-machine:~/openshift_install$ export KUBECONFIG=/home/m0724001/openshift_install/auth/kubeconfig m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl get service -A | grep nginx openshift-operators nginx LoadBalancer 172.30.162.116 35.236.183.45 80:30826/TCP,443:30584/TCP 7m29s openshift-operators nginx-ingress-operator-controller-manager-metrics-service ClusterIP 172.30.67.209 <none> 8443/TCP 11m ``` 對外IP為`35.236.183.45`，至GCP驗證 ![](https://i.imgur.com/y8GL8ss.png) GCP驗證正常，在GCP將其設定為靜態IP ![](https://i.imgur.com/BpR8ITe.png) ![](https://i.imgur.com/tHesYNC.png) ![](https://i.imgur.com/UcYAuM9.png) DNS紀錄設定(for nginx) ![](https://i.imgur.com/GVyT9QW.png) 這樣後續就可以隨意大量產生 *.systex.mlc.app的網域做接下來的部屬工作 ## 設定添加管理的私有群集環境(透過GitLab管理核心系統部屬) ![](https://i.imgur.com/5Yht2ma.png) ``` m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://api.openshift-cluster.gcp.fuzetea.xyz:6443 name: openshift-cluster contexts: - context: cluster: openshift-cluster user: admin name: admin current-context: admin kind: Config preferences: {} users: - name: admin user: client-certificate-data: REDACTED client-key-data: REDACTED ``` 上面取得API URL: https://api.openshift-cluster.gcp.fuzetea.xyz:6443 * `./kubectl --kubeconfig=auth/kubeconfig get secret` ``` m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl --kubeconfig=auth/kubeconfig get secret NAME TYPE DATA AGE builder-dockercfg-hd482 kubernetes.io/dockercfg 1 5h4m builder-token-dp6tc kubernetes.io/service-account-token 4 5h4m builder-token-kvxg4 kubernetes.io/service-account-token 4 5h4m default-dockercfg-6mjlh kubernetes.io/dockercfg 1 5h4m default-token-79s8n kubernetes.io/service-account-token 4 5h4m default-token-tlnsc kubernetes.io/service-account-token 4 5h10m deployer-dockercfg-w2krc kubernetes.io/dockercfg 1 5h4m deployer-token-q4hq4 kubernetes.io/service-account-token 4 5h4m deployer-token-szm5s kubernetes.io/service-account-token 4 5h4m m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl --kubeconfig=auth/kubeconfig get secret default-token-79s8n -o jsonpath="{['data']['ca\.crt']}" | base64 --decode -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIINLpxWjg/TAwwDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw HhcNMjExMDIzMTEwMzQ1WhcNMzExMDIxMTEwMzQ1WjA3MRIwEAYDVQQLEwlvcGVu c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANA7s/NVmDpPqQ3WgOzcYtSJ+t7sSCkx koHv+g5DBcjYykrgauGLZ5wzgpoeUrjBBuq9Z2d90VtjehpM5cnPjkqSnU6Xp+td uIxUiOcTSJdMGFdA9f/hgnrYndP07uPOpO++lmq708CNXtxpB1zKe79WXdhRywgT VR2yLsc8SSklWiNWxX2kcHwL0sCZc2XU+G0oknNEEUSn29TT2gJFN9mT4DlOhKm7 SjWurIfalt2tbrO98XaJuQbK2Da+Ta2AsZiYD8RBYltuKS8SDnhv/Zhx2wT38D7e +Eb3CAHxJcs6FGnKX9Pm8rz+By+LHfOju24xsCus5UwUGYL6fq5SA3ECAwEAAaNC MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCYR WYRcSy6ubxIXbKVwcy1BirQgMA0GCSqGSIb3DQEBCwUAA4IBAQCwo/RiE26Bcfe7 CoP05K6CxI5LDkIhoWtlySG9d3vomFIimbIfvs00ZVzhVKwAHP7a6PA4loCYNB5J X0fuj9eW99ZVu0b4Lej18N+MGO/CqsGA+L7UY98zhVmkNl3vBHAD/rJmumxUY7MW 9XO9bC+0gC1LkXLbu3KwErIG2+2SEZIoPsApfAfgD00px2yWvcC3g8foI9kfM/de iadRPpEYsbcn2Uei/dtshPbJnkNyMvV+o8r7Bp74hqGKD+XLg67ZUiUOtdufpDw3 MUIdF5k0naVuuhd6Z/i4lBvqFY4domrpYdnizWryo/u4NSCsOowWK79BrcNHre+1 OArhI76k -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIIZxIu3YHWJ4owDQYJKoZIhvcNAQELBQAwPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMB4XDTIxMTAyMzExMDM0NFoXDTMxMTAyMTExMDM0NFowPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqJKNCFQSlmR 6iOyKgVJgLJjxcoLrePdlmV90vejGf7pvqVj+Rt5t49En9FEi22snMlyXF26VcZx vY3dAyTQ7Mb5qHuGkQB50yiMLZMB5EDPsyseAZXDALhbLuUVzUHqvyQM8BICGhSc EXN/URgPToMAsZ00OFrAONlsWKSsEWLxmUL3QhurvEXlEZmmphqGD/HyqxtDmlz/ fwQ1CRqA93JO1DDpbKiR99iGnjjN5VzcBjqEk3i9qHr6n/o5jdDKbAIDvV7PSk5g F7xitdPQNIxEWS8wzVx5kxYHzohNXyRGAlCUQc6YT2Yi7ShocaPVvMehAWNUs6AR sk/LtBzTkwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQU7a/33/O52LYU8ea0Ktl5NETZOTMwDQYJKoZIhvcNAQELBQAD ggEBAE2QyxsMt58kBwa7vNjs9YW6v/l6YaWlDyeQcNSfhKr2c2zWKADlhbjFg1/M nv+vz49suWGIOwEhw4OpKahlHQ33iC5zIo0MgcffuVGUVoH81LJS//8al71tWcR7 InZgymQCyWtxijv3TVxsT6xFvD/E7CL1apjc4BcB/JoU9aBXdh5BN9pXtqq3J4q3 8CgyJjALfyF/9V/TjzK2C/ZA2olfviw/ya16GDCoZTqaATiz0FrR2SByCzCNPqK1 eGD6w3K1NWVh32yPEqxGyN+Ctox0rKnjwRuDKIjLPb3SM1K+SRJjawFGi0ZuIKhN Bm/76UcX7Cu/uQE/ZGZfzPrZtGs= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDTDCCAjSgAwIBAgIIf+I0amvL8iEwDQYJKoZIhvcNAQELBQAwRDESMBAGA1UE CxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2aWNlLW5l dHdvcmstc2lnbmVyMB4XDTIxMTAyMzExMDM0NVoXDTMxMTAyMTExMDM0NVowRDES MBAGA1UECxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2 aWNlLW5ldHdvcmstc2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA1KugaZd/CA0q193k5y9ScjmQOpHNVdL+GGs7ES6bjkRr1uAqCEP+gNpqnnnJ M8izlM+NvP8+mbHubH49v5xdDY0v6nd34RUoGIAWcljIaP7HtSD4sqlbFb6J0fLM RelzByY+8w4nSmVoYL7LtnqXlUMNXjZMxQv1IG5SQjoNqQXR14eMF0x6EyqmjA+s D022z37f+q3YgsDrUo2QeFaqYWyIHCsoOjyJM6JL+GqJV14aC1nigykl31IZ4o2F A7HwFlAbzakxjNTUWMc6DrUCu9qA3cEeeZJZRqYYrtWhdZuSERYYz/ZTaXynhfDm oVYwgXwNfw9JzXx/VeMQzoh/CQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYD VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPJSsW65HHeJ4oXKabPwY+bFxNtwwDQYJ KoZIhvcNAQELBQADggEBAGUTtNFfZOPJezWpbJZE/eXQ9wMWwx506bhINVFe70A4 fFXnnW7bQ2yJr+jWM44IsvJE1T7M8bykmNVEeyC/k1IwYGvJC1suFqEHMumlTG0l wiUsApbeRew6Xd/InNSWRPYN6jkY6lQJoOevotm0phypmllfmD2h31KDMf/uOOFB UBRptjBOzJJR0K4pFa7VGd85shI6Vrru74DUsNs3RMKt1JCAptA7M6V78IRxfY87 RQK9eWsDAQLLti4n1zzUTxXh8E7nC44yEYXB5pYFs+cJh1jIAXyqqUjvXIjcKLUL AyTcOdhyxctguLliPFlqNoFfwopqw/yCIkXAntkNfnk= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDlzCCAn+gAwIBAgIIQY87niQ9HqIwDQYJKoZIhvcNAQELBQAwWTFXMFUGA1UE AwxOb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1y ZWNvdmVyeS1zZXJ2aW5nLXNpZ25lckAxNjM0OTg3NTc3MB4XDTIxMTAyMzExMTI1 N1oXDTMxMTAyMTExMTI1OFowWTFXMFUGA1UEAwxOb3BlbnNoaWZ0LWt1YmUtYXBp c2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1yZWNvdmVyeS1zZXJ2aW5nLXNpZ25l ckAxNjM0OTg3NTc3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdty 3deaObjKbW4oYXWzm9twb4Q9f57z2X36kUIokMULdc3Y6sezzhfvLOwHN1XBm7VC Bey04FfXla7+DEEJ8DR54Ax5JgdxNnoUnFh8Qkeeek2btwaxnTqdOQAC2cp3wUO1 R18OrFE/JPESSB6nN2ZV6pUfOAWlPTBkHpxuK2VlNlDfUMvm08zmCgh/svEQjWoZ 0C2P869T844utln/ipb3Hi4e3PHmkqNZfQdnd5i9lArUXKP4XAoNzO55ZiYPOpmU 9eXb6s29IufRS8Hjrv6VtiS/+olQfIEuYc7UYDwmkQQYyFpxxeh/Xh7eseltXpg/ 98ig40DhSlZPQgdAQQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQUbIrRHYVhZ1RAGVpvozf81ueb2bIwHwYDVR0jBBgw FoAUbIrRHYVhZ1RAGVpvozf81ueb2bIwDQYJKoZIhvcNAQELBQADggEBAA7TNUje QpGn3RizWEKGdy7Dh5KvThcT6ouodNPo9vg2LWUblxkxXTp0gOqf5Iyb6EdYJGii wpx99eoN9S90kEDhK9yL+RFdu8xrMBfhLx0LG8gq1WfNMl9JC1Oe2DjVSN2+58ei X4uJpb24JCZ/bBQg8l5t9LhNHZx9rjws0EoEX1IqoNVUDdahBB/h1J7nWIgzKZ0b bEr0bcwVwqmlpFY6hRbCFMb6LwH+Oq2KULwAVGY6U6Gz8MVSE/CLmMptNyCjPn7+ YRw+J7Pvc8rRV5GDsn6Fw+ft2wTIU0eJVoc3ZEOiyVUsXIS6aQDjk23Ez3KBB6Xy NGIo3xjlXMnBRx0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDhzCCAm+gAwIBAgIIGDrwU+axkI4wDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE AwwbaW5ncmVzcy1vcGVyYXRvckAxNjM0OTg3NjM4MB4XDTIxMTAyMzExMTc0MVoX DTIzMTAyMzExMTc0MlowMzExMC8GA1UEAwwoKi5hcHBzLm9wZW5zaGlmdC1jbHVz dGVyLmdjcC5mdXpldGVhLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAKGABfucPTtUnIol3JQGAgbrmhDOQZIP/QDA5X0oYUSjCLdMBBY+LN7r5Dny 5NV/1eMqFvzOs/48iGiJMIJlo0iRB63V73QYIOVL4TW7uUSGcN9DiRVTeA0RrGmw XT+k0uu5mC7UxrtYiZ2SI2v57CdUsM/RCPl2IhneJsCJWk4kGP+bFH3ASeXK/ua7 +IBHyXS6EKflILQsM20fmsTxAbGIFAhLjyQb36j0BSi59kbRcOvmqoAzUGxguC+V 2KHHtwVVP0+bM17uWLVZk2SjDZbewziRL4NSCdLwrXDp2VKB70ly0yHQ5t1x/56o e/k82I1BT108IVPZ/X8QWWVExucCAwEAAaOBqzCBqDAOBgNVHQ8BAf8EBAMCBaAw EwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU/JxB Vb/WcBKePiCMpItv6WyprRkwHwYDVR0jBBgwFoAU/EtS3zV1rh4KwZmdhFVdB0Rm I5cwMwYDVR0RBCwwKoIoKi5hcHBzLm9wZW5zaGlmdC1jbHVzdGVyLmdjcC5mdXpl dGVhLnh5ejANBgkqhkiG9w0BAQsFAAOCAQEAKJEQRhMGtNAvGx3O6VpjAeJtSryw LceO6bfON7nlrOMrI1Yj4+Oo4jk2GX42unNnLURO2eDjoYoUJytUjnmfOvPGTj6D pYa3VkWDSi/9HROgtlPijZ01lpgUyxAK0+DIOkWUC74BFhwiqR3M4jdYte8MUMc4 tbFD7Cd9zglW1pnJxavVdKhKUU350NoUtiUFtQzSqNc1FTZT3ipq3N/tb09APEL3 QaNI5uSghCOaFFZrcoQWK9ZLK3jiXnXPlzknWbz80R7Tpw/K8KeYKNWSgOYiEk7+ euboINDRk528sGL8+RnTfAGoZAfp74obV/1Xe0ORKKaCmoOPCBiVp7z9wg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy ZXNzLW9wZXJhdG9yQDE2MzQ5ODc2MzgwHhcNMjExMDIzMTExMzU3WhcNMjMxMDIz MTExMzU4WjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE2MzQ5ODc2Mzgw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLvzGjzopzhEkTNkLdIsqX QMSw0hCIGJp7Sr7o70KhS0QPVke7dK5/KsW4FUhrM2oTxGpU+7mqlX0/hYpOPoxT CM0er6dFZPbrAhPD9W5HrjLZgV0jKR5GU07Z0teNYB0KU10m+ZyAHZ9pzsST4KN9 jY/C6yBy0VNNvU2M2h2vfjV4E3vTIZP+p6FfmqltTSmDzXhax818f/P0mIoQsbW+ reKiykckmYpFKGxw5N2qa85+0Ob+PbmESwsDcGfSHQdQbaStQRfeqb4XHifz4MEy nqxsL6uRlWpNZRtLbIqhKy/V6lYdOBh4uScgU6mYIJ6NA1maH+p44Kwy43YU2kQp AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBT8S1LfNXWuHgrBmZ2EVV0HRGYjlzANBgkqhkiG9w0BAQsFAAOCAQEA iE9+JHtj3qyAa9CUTBIs3/VFQYXKttWFLZpkmz6tmLVR9Si/yzA7oQFgjG/H22j+ erJU4jcko7NymNe2UOSW2k/414/IZ1wWM/uya1sK8Epqy7aqrabJylXuk2fPpuUZ dKlaEZi9RMWpY0rvhnzHhU/ZACBmvNKHshQpetxkJt8ASqdnLE4KBRB0BgZWmXIp MMz1khJJVxcYYvOgaBJ7ABcZAcRUq4vAHQdcsDvXarEApMaw8Gw0VQKd70qiOKKz 2wBux1xS5mj4ASgaqwtX5nTu6cel/7ty3F9j7xEYutHMWXMxDpBXIqfGWQj7xrk+ 8Qq4XNc4c6P3ugEyScOU+A== -----END CERTIFICATE----- ``` 上面取得CA Cert 3. 取得群集管理權限的Token 3.1 建立Service Account 檔案名稱: `gitlab-admin-service-account.yaml` 這裡會設定並給予其群集的管理員權限(cluster-admin) ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: gitlab namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gitlab-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: gitlab namespace: kube-system ``` 3.2 套用設定 ``` m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl --kubeconfig=auth/kubeconfig apply -f ./gitlab-admin-service-account.yaml serviceaccount/gitlab created clusterrolebinding.rbac.authorization.k8s.io/gitlab-admin created ``` 3.3 取得Token ``` m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl --kubeconfig=auth/kubeconfig -n kube-system describe secret $(./kubectl --kubeconfig=auth/kubeconfig -n kube-system get secret | grep gitlab | awk '{print $1}') Name: gitlab-dockercfg-flnmr Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: gitlab kubernetes.io/service-account.uid: 5f14b22f-e9d0-4c95-94f9-aa86afbd52a4 openshift.io/token-secret.name: gitlab-token-hz28v openshift.io/token-secret.value: eyJhbGciOiJSUzI1NiIsImtpZCI6IkhxYzcwQ1RKZVJnRmY1U0RfWUc4ZkFMeUJPdzNwZHBwcHRVVmx3N0QtNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiw... Type: kubernetes.io/dockercfg Data ==== .dockercfg: 9205 bytes Name: gitlab-token-dl7t2 Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: gitlab kubernetes.io/service-account.uid: 5f14b22f-e9d0-4c95-94f9-aa86afbd52a4 Type: kubernetes.io/service-account-token Data ==== service-ca.crt: 8483 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkhxYzcwQ1RKZVJnRmY1U0RfWUc4ZkFMeUJPdzNwZHBwcHRVVmx3N0QtNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJnaXRsYWItdG9rZW4tZGw3dDIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZ2l0bGFiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNWYxNGIyMmYtZTlkMC00Yzk1LTk0ZjktYWE4NmFmYmQ1MmE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmdpdGxhYiJ9.rtsv1cY9e-MAC6yWjVEqu5rIKSUOWQQQLeaSKbmRkPGJxb93Riq5oRFgHSjQTrWURaUnAlvEK3fzR0WZx_vc5KFLeEKBLHK9JXkcZQshdlMlQ0BUBMMUPFfliwoSFWvg7hbq1AR71LGIIjkEikDUHnjLy-DO_8G-Gs-_EPfLInHQ63gU4g0ERCQtsLslDZ6cJSVTNUDJCAy6J4h8kR3TJau85_WE3OpeSwQl9ZDtyNlCsiIXwUYX6OMoyBAJbifczA35eMhF56cQDy2LEQ_6rgo9HgOMuvrcCAJ3N_cDZmVYgBwHZ2nAsvfACz3--I8LmxqkJTIFgitnRgJgop7idSUbCEvvDKDIXXPzY_zmWCYAxvNqNBlZuNpmsge5DPGPTy1BGUfjXI4tLylr1yq36mkesuQ5bhCdvXFjbdum6l4IeZtYuw9hUldQufZ20sRU2p4p1CbrHtHOZebjfFs7L_pEU07PmmSBG7FeS1BqD6JMss3Wqu60wvapV7LFrUZTAvk6ykfxAt4QeqPuZr0xc3ztGadq7IG9l6fk11tKXm4MnW03eVudCuaNkOQvzEqRbmWkFoTluhNEAK-oLNOi4NeDi69ncOIiFGEx8XoXv00qxgLuU4U68fwfafCGFrqfFQJN9j-yptmKzPovwfO-DTsg-Bt6Iqt-msPgDcsNUqg ca.crt: 7270 bytes namespace: 11 bytes Name: gitlab-token-hz28v Namespace: kube-system Labels: <none> Annotations: kubernetes.io/created-by: openshift.io/create-dockercfg-secrets kubernetes.io/service-account.name: gitlab kubernetes.io/service-account.uid: 5f14b22f-e9d0-4c95-94f9-aa86afbd52a4 Type: kubernetes.io/service-account-token Data ==== namespace: 11 bytes service-ca.crt: 8483 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkhxYzcwQ1RKZVJnRmY1U0RfWUc4ZkFMeUJPdzNwZHBwcHRVVmx3N0QtNjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJnaXRsYWItdG9rZW4taHoyOHYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZ2l0bGFiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNWYxNGIyMmYtZTlkMC00Yzk1LTk0ZjktYWE4NmFmYmQ1MmE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmdpdGxhYiJ9.ghoQ3fYIfrywZmGQafqH7QHworEG8tM7pOfg_0eBqWnz-hpKWuUuR8TbFXlg_rZBCYH5eQUPCGsTMjSyRCvipg4uG_AY5YyowkwlSjLLNnKHI9UXwxdMFCpXs-jGs8fo7aQGKEW2coZ9IplS9m_mHn74LgBJgUs7G0L-jdbawVVZEIb3Z5h_q1ROEjc4RJQ08_T4l67HTMbn3r_8FsTPphOhqg5ayU1DOO6UwoDAuf9g8K1el_K7Hs3LjIVvmOG6IrjiZo5qsagVQOuzBQcI5hbpDe26JBJMBzKh8kj3pyKEasOumKVBPWtkIUV6VTmIUdkKpHUOdpazyZVsEopn9g3Z6D0EocP7b0RqfzDl73QboGMq7-mdOPktUp0zAjvwG8Gjh5n7hNg95mJUkFNLZTPYJ2a_TfKAv3kuVxJhDJzgTXBPC-1gUugm1KTk7_IDgEk55vPsIi0u7x2IPDct3SZebCGnKse1jJQBTJiIQKc7wy5KmDW2HTNHaf5AhFI18tOpwnYzBntFBwZH6idryCfjhEsX96Hh2mcg3c4B4ZN-uAUAv-zymfNyc4Ug6E79Jgy0CoIWJRHXgLQO-HIh7XiXPsssP07n8UbYVCnC-5gNQq6teZ_iXfUNG6PbA9hmDpV6RwzSuqdvpMzZyjV6YraSIjCdMs72eqMrkITYGfg ca.crt: 7270 bytes ``` ![](https://i.imgur.com/BSXH5JS.png) ![](https://i.imgur.com/dI2CEQQ.png) ![](https://i.imgur.com/HzjX0nu.png) ## 添加測試部屬專案(因為此群集僅用於短暫測試非正式使用) ![](https://i.imgur.com/EhE5EwU.png) ![](https://i.imgur.com/1BvvkCY.png) ``` ./oc adm policy add-scc-to-user privileged -z default -n harbor-gpu m0724001@m0724001-virtual-machine:~/openshift_install$ ./oc adm policy add-scc-to-user privileged -z default -n sonarqube-gpu clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "default" m0724001@m0724001-virtual-machine:~/openshift_install$ ./oc adm policy add-scc-to-user privileged -z sonarqube-gpu-sonarqube -n sonarqube-gpu clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "sonarqube-gpu-sonarqube" ``` :warning: 上述已更新到專案內使用與管理 ### 部屬結果 * Sonarqube(程式碼品質管理) https://sonarqube.systex.mlc.app ![](https://i.imgur.com/fBnCd8J.png) ![](https://i.imgur.com/uQAe1vj.png) * Wordpress(CMS網頁) https://test1.systex.mlc.app ![](https://i.imgur.com/cOEygOt.png) ![](https://i.imgur.com/f4zbE3c.png) * Redmine(議題管理) redmine.systex.mlc.app ![](https://i.imgur.com/LERRTUw.png) ![](https://i.imgur.com/Apq6zwn.png) * Redis與Mariadb 一般部屬 ``` m0724001@m0724001-virtual-machine:~/openshift_install$ ./kubectl get pod -n extra-csie-proj NAME READY STATUS RESTARTS AGE mariadb-csie-proj-0 1/1 Running 0 85m redis-csie-proj-master-0 1/1 Running 0 85m redis-csie-proj-replicas-0 1/1 Running 0 85m redis-csie-proj-replicas-1 1/1 Running 0 84m redis-csie-proj-replicas-2 1/1 Running 0 84m ``` ## Reference and FAQ * [openshift-unable-to-validate-against-any-security-context-constraint](https://stackoverflow.com/questions/61239490/openshift-unable-to-validate-against-any-security-context-constraint) ###### tags: `公有雲(GCP)` `Documentation`