OpenShift
To install and run Kuma on OpenShift execute the following steps:
Finally you can follow the Quickstart to take it from here and continue your Kuma journey.
1. Download Kuma
To run Kuma on OpenShift, you need to download a compatible version of Kuma for the machine from which you will be executing the commands.
You can run the following script to automatically detect the operating system and download Kuma:
$ curl -L https://kuma.io/installer.sh | sh -
You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access OpenShift:
- CentOS (opens new window)
- RedHat (opens new window)
- Debian (opens new window)
- Ubuntu (opens new window)
- macOS (opens new window) or
brew install kumactl
and extract the archive with:
$ tar xvzf kuma-*.tar.gz
2. Run Kuma
Once downloaded, you will find the contents of Kuma in the kuma-
folder. In this folder, you will find - among other files - the bin
directory that stores the executables for Kuma, including the CLI client kumactl
.
Note: On OpenShift - of all the Kuma binaries in the bin
folder - we only need kumactl
.
So we enter the bin
folder by executing:
$ cd kuma-1.1.0/bin
We suggest adding the kumactl
executable to your PATH
so that it’s always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/
by executing:
ln -s ./kumactl /usr/local/bin/kumactl
Finally we can install and run Kuma in either standalone or multi-zone mode:
Standalone mode is perfect when running Kuma in a single cluster across one environment:
$ ./kumactl install control-plane --cni-enabled | oc apply -f -
Starting from version 4.1 OpenShift utilizes nftables
instead of iptables
. So using init container for redirecting traffic to the proxy is no longer works. Instead, we use kuma-cni
which could be installed with --cni-enabled
flag.
Standalone mode is perfect when running Kuma in a single cluster across one environment.
By default MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
are disabled on OpenShift 3.11. In order to make it work add the following pluginConfig
into /etc/origin/master/master-config.yaml
on the master node:
admissionConfig:
pluginConfig:
MutatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
ValidatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
After updating master-config.yaml
restart the cluster and install control-plane
:
$ ./kumactl install control-plane | oc apply -f -
Multi-zone mode is perfect when running one deployment of Kuma that spans across multiple Kubernetes clusters, clouds and VM environments under the same Kuma deployment.
This mode also supports hybrid Kubernetes + VMs deployments.
To learn more, read the multi-zone installation instructions.
It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:
$ oc get pod -n kuma-system
3. Use Kuma
Kuma (kuma-cp
) will be installed in the newly created kuma-system
namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc
, the HTTP API, or the CLI:
Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on the API port and defaults to :5681/gui
.
To access Kuma we need to first port-forward the API service with:
$ kubectl port-forward svc/kuma-control-plane -n kuma-system 5681:5681
And then navigate to 127.0.0.1:5681/gui
(opens new window) to see the GUI.
You can use Kuma with oc
to perform read and write operations on Kuma resources. For example:
$ oc get meshes
NAME AGE
default 1m
or you can enable mTLS on the default
Mesh with:
echo "apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin" | oc apply -f -
Kuma ships with a read-only HTTP API that you can use to retrieve Kuma resources.
By default the HTTP API listens on port 5681
. To access Kuma we need to first port-forward the API service with:
$ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681
And then you can navigate to 127.0.0.1:5681
(opens new window) to see the HTTP API.
You can use the kumactl
CLI to perform read-only operations on Kuma resources. The kumactl
binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:
$ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681
and then run kumactl
, for example:
$ kumactl get meshes
NAME mTLS METRICS LOGGING TRACING
default off off off off
You can configure kumactl
to point to any remote kuma-cp
instance by running:
$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kuma}:5681
You will notice that Kuma automatically creates a Mesh
entity with name default
.
Kuma explicitly specifies UID for kuma-dp
sidecar to avoid capturing traffic from kuma-dp
itself. For that reason, nonroot
Security Context Constraint (opens new window) has to be granted to the application namespace:
$ oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>
If namespace is not configured properly, we will see following error on the Deployment
or DeploymentConfig
'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: [spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'
4. Quickstart
Congratulations! You have successfully installed Kuma on OpenShift 🚀.
In order to start using Kuma, it’s time to check out the quickstart guide for Kubernetes deployments.
Before running Kuma Demo in the Quickstart, remember to run the following command
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo
In case of Kuma Demo, one of the component requires root access therefore we use anyuid
instead of nonroot
permission.