🔥 K8s 玩家必看!3 分钟搞定 Harbor 私有仓库部署,镜像管理从此不迷路 🔥
还在为 K8s 集群里的镜像存储发愁?🤔 手动上传太麻烦?公共仓库速度慢?今天这篇干货绝对能救你!
最近好多小伙伴私信问:“在 K8s 里部署 Harbor 到底怎么露服务才靠谱?Ingress 配置总踩坑咋办?” 别慌!小编亲测了 N 种方案,终于整理出这套保姆级 Ingress 暴露 Harbor 教程—— 从环境检查到镜像推拉,每一步都带实操命令,连证书配置这种细节都替你想到了!
看看这集群环境(1 主 3 从 K8s 节点 + Rocky Linux 系统),是不是和你的配置很像?👇 跟着步骤走,保证你一次成功,评论区蹲一个 “部署成功” 的反馈哦~ 😎
环境信息
- k8s集群信息
[root@k8s-master-01 ~]# kubectl get node -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-master-01 Ready control-plane 16d v1.33.1 10.228.22.20 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.21.1.el9_6.x86_64 containerd://2.1.1
k8s-worker-01 Ready <none> 16d v1.33.1 10.228.22.21 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.21.1.el9_6.x86_64 containerd://2.1.1
k8s-worker-02 Ready <none> 16d v1.33.1 10.228.22.22 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.21.1.el9_6.x86_64 containerd://2.1.1
k8s-worker-03 Ready <none> 16d v1.33.1 10.228.22.23 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.21.1.el9_6.x86_64 containerd://2.1.1
- 操作系统信息
[root@k8s-master-01 ~]# uname -a
Linux k8s-master-01 5.14.0-570.21.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Jun 10 18:07:35 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
- helm 版本
[root@k8s-master-01 ~]# helm version
version.BuildInfo{Version:"v3.18.3", GitCommit:"6838ebcf265a3842d1433956e8a622e3290cf324", GitTreeState:"clean", GoVersion:"go1.24.4"}
- 查看 PV 相关信息
[root@k8s-master-01 ~]# kubectl get sc
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
csi-rbd-sc rbd.csi.ceph.com Delete Immediate true 10d
- 查看 ingress-nginx 信息
[root@k8s-master-01 ~]# helm ls -n ingress-nginx
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
ingress-nginx ingress-nginx 1 2025-07-03 15:13:50.123926111 +0800 CST deployed ingress-nginx-4.12.3 1.12.3
[root@k8s-master-01 ~]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-hgv9x 1/1 Running 0 24h
ingress-nginx-controller-mqxl7 1/1 Running 0 24h
ingress-nginx-controller-vwpk8 1/1 Running 0 24h
采用 ingress 方式暴露部署 – 部署 harbor
添加harbor helm仓库:
helm repo add harbor https://helm.goharbor.io
官方提供四种方式暴露 Harbor service:
- Ingress: 借助Ingress暴露服务,K8S集群中已经部署ingress nginx controller。
- ClusterIP: 使用ClusterIP暴露服务,只能在集群内部进行访问。
- NodePort: 使用NodePort暴露服务,通过NodeIP:NodePort进行访问。
- LoadBalancer: 使用云供应商提供的LB进行访问。
部署harbor仓库,使用ingress暴露服务。ingress-nginx使用的是NodePort方式暴露自身,需要在externalURL中配置其 NodePort 端口号:31407
[root@k8s-master-01 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.105.195.129 <none> 80:32049/TCP,443:31407/TCP 24h
ingress-nginx-controller-admission ClusterIP 10.100.124.121 <none> 443/TCP 24h
通过下面的命令使用 helm 部署 harbor。需要根据你的实际情况对命令参数进行调整。
helm upgrade --install harbor harbor/harbor --namespace harbor --create-namespace
--set expose.type=ingress
--set expose.ingress.className=nginx
--set expose.ingress.hosts.core=harbor.nici.cn
--set expose.ingress.hosts.notary=notary.nici.cn
--set externalURL=https://harbor.nici.cn:31407
--set harborAdminPassword="Harbor12345"
--set persistence.persistentVolumeClaim.registry.storageClass="csi-rbd-sc"
--set persistence.persistentVolumeClaim.jobservice.jobLog.storageClass="csi-rbd-sc"
--set persistence.persistentVolumeClaim.database.storageClass="csi-rbd-sc"
--set persistence.persistentVolumeClaim.redis.storageClass="csi-rbd-sc"
--set persistence.persistentVolumeClaim.trivy.storageClass="csi-rbd-sc"
资源检查
[root@k8s-master-01 ~]# kubectl get pod -n harbor -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
harbor-core-77f9f8cdc-nxzpn 1/1 Running 0 23h 172.16.36.226 k8s-worker-01 <none> <none>
harbor-database-0 1/1 Running 0 25h 172.16.7.155 k8s-worker-03 <none> <none>
harbor-jobservice-7f74cf8d48-gbdsc 1/1 Running 0 36s 172.16.118.116 k8s-worker-02 <none> <none>
harbor-portal-5b6b5f7494-4rgsn 1/1 Running 0 25h 172.16.118.113 k8s-worker-02 <none> <none>
harbor-redis-0 1/1 Running 0 25h 172.16.7.156 k8s-worker-03 <none> <none>
harbor-registry-78c5c489ff-v64b9 2/2 Running 0 23h 172.16.118.115 k8s-worker-02 <none> <none>
harbor-trivy-0 1/1 Running 0 25h 172.16.36.224 k8s-worker-01 <none> <none>
[root@k8s-master-01 ~]# kubectl get pvc -n harbor
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
data-harbor-redis-0 Bound pvc-df572579-013c-4e29-8ed2-d5cad140f49a 1Gi RWO csi-rbd-sc <unset> 25h
data-harbor-trivy-0 Bound pvc-c69def7b-8fb6-439c-8ed0-c428ddb28723 5Gi RWO csi-rbd-sc <unset> 25h
database-data-harbor-database-0 Bound pvc-18f0b12e-885e-4e25-86a4-be488fe8b998 1Gi RWO csi-rbd-sc <unset> 25h
harbor-jobservice Bound pvc-4ad9015f-8627-4b59-ad3b-5a4406b36d0f 1Gi RWO csi-rbd-sc <unset> 25h
harbor-registry Bound pvc-10692c77-552d-49b2-88a9-2c05776f72dd 5Gi RWO csi-rbd-sc <unset> 25h
[root@k8s-master-01 ~]# kubectl get ingress -n harbor
NAME CLASS HOSTS ADDRESS PORTS AGE
harbor-ingress nginx harbor.nici.cn 10.105.195.129 80, 443 25h
客户端访问测试,在客户端配置域名解析后即可访问。用户名:admin 密码:Harbor12345
客户端上传镜像
导出 CA 证书
kubectl -n harbor get secrets harbor-ingress -o jsonpath="{.data.ca.crt}" | base64 -d >ca.crt
复制 CA 证书到服务器中
[root@k8s-master-01 ~]# mkdir -p /etc/containerd/certs.d/harbor.nici.cn
[root@k8s-master-01 ~]# cp ca.crt /etc/containerd/certs.d/harbor.nici.cn/
[root@k8s-master-01 ~]# systemctl restart containerd.service
使用nerdctl下载镜像
[root@k8s-master-01 ~]# nerdctl pull nginx
docker.io/library/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:93230cd54060f497430c7a120e2347894846a81b6a5dd2110f7362c5423b4abc: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:13920fe73b382aa9017f7cf38b1377bc46ffb605fe980eb00f61aad26311ebf7: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:9592f5595f2b12c2ede5d2ce9ec936b33fc328225a00b3901b96019e3dd83528: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ee95256df0301df55618ec5c24f6bf41b6d005d3026e0e67e95fef0b0fbc2691: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3da95a905ed546f99c4564407923a681757d89651a388ec3f1f5e9bf5ed0b39d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6c8e51cf00871b029c189d3e2145e2307bbba361bb62e20b696c18b2e8cd2f52: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:9bbbd7ee45b78c411208ea69e41a52a06a7e3872dfd0235e79bbb637e4789c1d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:48670a58a68fc689138b916491d7c5aa6ea6fb2e4227a7edef275ec7003c9569: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ce7132063a5679c245d63b972b414a24de1686b42f8231c8df6f703c50a5ac38: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:23e05839d684c6d82bd5fd45968bb8997da3a639f1fe8ca502a4edbcffa8655d: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 21.9s
登录 harbor 仓库
[root@k8s-master-01 ~]# nerdctl login -u admin -p Harbor12345 harbor.nici.cn
WARN[0000] WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/
Login Succeeded
标记镜像
[root@k8s-master-01 ~]# nerdctl tag nginx:latest harbor.nici.cn/library/nginx:latest
推送镜像
[root@k8s-master-01 ~]# nerdctl push harbor.nici.cn/library/nginx:latest
INFO[0000] pushing as a reduced-platform image (application/vnd.oci.image.index.v1+json, sha256:273027a41b6c23ff42b184991e20311b85e8f9ff51bae4dd2106f70a2538623f)
index-sha256:273027a41b6c23ff42b184991e20311b85e8f9ff51bae4dd2106f70a2538623f: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:13920fe73b382aa9017f7cf38b1377bc46ffb605fe980eb00f61aad26311ebf7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ee95256df0301df55618ec5c24f6bf41b6d005d3026e0e67e95fef0b0fbc2691: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:9592f5595f2b12c2ede5d2ce9ec936b33fc328225a00b3901b96019e3dd83528: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3da95a905ed546f99c4564407923a681757d89651a388ec3f1f5e9bf5ed0b39d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:9bbbd7ee45b78c411208ea69e41a52a06a7e3872dfd0235e79bbb637e4789c1d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:48670a58a68fc689138b916491d7c5aa6ea6fb2e4227a7edef275ec7003c9569: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6c8e51cf00871b029c189d3e2145e2307bbba361bb62e20b696c18b2e8cd2f52: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ce7132063a5679c245d63b972b414a24de1686b42f8231c8df6f703c50a5ac38: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:23e05839d684c6d82bd5fd45968bb8997da3a639f1fe8ca502a4edbcffa8655d: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 7.1 s
客户端拉取镜像
[root@k8s-master-01 ~]# nerdctl pull harbor.nici.cn/library/nginx:latest
harbor.nici.cn/library/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:273027a41b6c23ff42b184991e20311b85e8f9ff51bae4dd2106f70a2538623f: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:13920fe73b382aa9017f7cf38b1377bc46ffb605fe980eb00f61aad26311ebf7: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:9592f5595f2b12c2ede5d2ce9ec936b33fc328225a00b3901b96019e3dd83528: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:9bbbd7ee45b78c411208ea69e41a52a06a7e3872dfd0235e79bbb637e4789c1d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3da95a905ed546f99c4564407923a681757d89651a388ec3f1f5e9bf5ed0b39d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6c8e51cf00871b029c189d3e2145e2307bbba361bb62e20b696c18b2e8cd2f52: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ce7132063a5679c245d63b972b414a24de1686b42f8231c8df6f703c50a5ac38: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:48670a58a68fc689138b916491d7c5aa6ea6fb2e4227a7edef275ec7003c9569: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:23e05839d684c6d82bd5fd45968bb8997da3a639f1fe8ca502a4edbcffa8655d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ee95256df0301df55618ec5c24f6bf41b6d005d3026e0e67e95fef0b0fbc2691: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 4.8 s total: 41.9 M (8.7 MiB/s)
🎉 搞定!你的 K8s 集群终于有了专属镜像仓库 🎉
从 Helm 部署到 Ingress 配置,再到证书导入和镜像推拉测试,一套流程走下来是不是超顺畅?其实 Harbor 部署没那么难,关键是找对暴露方式和配置细节~
如果部署时遇到卡在某个步骤(比如 Ingress 端口映射、证书不生效),欢迎在评论区留言具体报错,小编会抽时间一一解答!👇
觉得有用的话,别忘了点赞 + 在看,再转发给身边正在搞 K8s 的同事 —— 毕竟,好教程要和同路人分享才更有价值呀~ 我们下期技术干货再见!😉
此文章为原创文章,作者:胖哥叨逼叨,如若转载,请与我联系并注明出处:https://www.pangshare.com/4108.htm
微信扫一扫 