主页
产品
Red Hat Quay
3.6
使用 Red Hat Quay
6.4.2. 准备 OpenShift 进行 Red Hat Quay 构建

6.4.2. 准备 OpenShift 进行 Red Hat Quay 构建

在 OpenShift 集群中需要几个操作，然后才能接受来自 Red Hat Quay 的构建。

创建一个将运行构建的项目（如 'builder'）
```
oc new-project builder
```
```
$ oc new-project builder
```
Copy to Clipboard Toggle word wrap

在此项目中创建一个 ServiceAccount ，它将用于运行构建。确保有足够的权限来创建 作业和 Pod。复制 ServiceAccount的令牌，以便稍后使用。

oc create sa -n builder quay-builder
oc policy add-role-to-user -n builder edit system:serviceaccount:builder:quay-builder
oc sa get-token -n builder quay-builder

$ oc create sa -n builder quay-builder
$ oc policy add-role-to-user -n builder edit system:serviceaccount:builder:quay-builder
$ oc sa get-token -n builder quay-builder

Copy to Clipboard

Toggle word wrap

识别 OpenShift 集群 API 服务器的 URL。这可以从 OpenShift 控制台找到。
识别调度构建作业时使用的 worker 节点标签。因为构建 pod 需要在裸机 worker 节点上运行，因此通常这些 pod 使用特定的标签标识。检查您的集群管理员，以确定应使用哪个节点标签。
如果集群使用自签名证书，获取 kube apiserver 的 CA 以添加到 Red Hat Quay 的额外证书。
1. 获取包含 CA 的 secret 的名称：
  $ oc get sa openshift-apiserver-sa --namespace=openshift-apiserver -o json | jq '.secrets[] | select(.name | contains("openshift-apiserver-sa-token"))'.name
  Copy to Clipboard Toggle word wrap
2. 从 Openshift 控制台中的 secret 获取 ca.crt 的键值。该值应该以"-----BEGIN CERTIFICATE-----"开始。
3. 使用 ConfigTool，在 Red Hat Quay 中导入 CA。确保此文件的名称与 K8S_API_TLS_CA 匹配。
为 ServiceAccount 创建所需的安全上下文/角色绑定：

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: quay-builder
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
  type: RunAsAny
volumes:
- '*'
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- '*'
allowedUnsafeSysctls:
- '*'
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: quay-builder-scc
  namespace: builder
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - quay-builder
  resources:
  - securitycontextconstraints
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: quay-builder-scc
  namespace: builder
subjects:
- kind: ServiceAccount
  name: quay-builder
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: quay-builder-scc

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: quay-builder
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups:
  type: RunAsAny
volumes:
- '*'
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- '*'
allowedUnsafeSysctls:
- '*'
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: quay-builder-scc
  namespace: builder
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - quay-builder
  resources:
  - securitycontextconstraints
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: quay-builder-scc
  namespace: builder
subjects:
- kind: ServiceAccount
  name: quay-builder
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: quay-builder-scc

Copy to Clipboard

Toggle word wrap

返回顶部

6.4.2. 准备 OpenShift 进行 Red Hat Quay 构建

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links