OpenShift

To install and run Kuma on OpenShift execute the following steps:

Finally you can follow the Quickstart to take it from here and continue your Kuma journey.

1. Download Kuma

To run Kuma on OpenShift, you need to download a compatible version of Kuma for the machine from which you will be executing the commands.

You can run the following script to automatically detect the operating system and download Kuma:

  1. $ curl -L https://kuma.io/installer.sh | sh -

You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access OpenShift:

and extract the archive with:

  1. $ tar xvzf kuma-0.5.1*.tar.gz

2. Run Kuma

Once downloaded, you will find the contents of Kuma in the kuma-0.5.1 folder. In this folder, you will find - among other files - the bin directory that stores the executables for Kuma, including the CLI client kumactl.

Note: On OpenShift - of all the Kuma binaries in the bin folder - we only need kumactl.

So we enter the bin folder by executing:

  1. $ cd kuma-0.5.1/bin

We suggest adding the kumactl executable to your PATH so that it’s always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/ by executing:

  1. ln -s ./kumactl /usr/local/bin/kumactl

And we can then proceed to install Kuma on OpenShift with:

  1. $ ./kumactl install control-plane --cni-enabled | oc apply -f -

Starting from version 4.1 OpenShift utilizes nftables instead of iptables. So using init container for redirecting traffic to the proxy is no longer works. Instead, we use kuma-cni which could be installed with --cni-enabled flag.

By default MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11. In order to make it work add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:

  1. admissionConfig:
  2.   pluginConfig:
  3.     MutatingAdmissionWebhook:
  4.       configuration:
  5.         apiVersion: apiserver.config.k8s.io/v1alpha1
  6.         kubeConfigFile: /dev/null
  7.         kind: WebhookAdmission
  8.     ValidatingAdmissionWebhook:
  9.       configuration:
  10.         apiVersion: apiserver.config.k8s.io/v1alpha1
  11.         kubeConfigFile: /dev/null
  12.         kind: WebhookAdmission

After updating master-config.yaml restart the cluster and install control-plane:

  1. $ ./kumactl install control-plane | oc apply -f -

It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:

  1. $ oc get pod -n kuma-system

3. Use Kuma

Kuma (kuma-cp) will be installed in the newly created kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc, the HTTP API, or the CLI:

Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on port 5683.

To access Kuma we need to first port-forward the GUI service with:

  1. $ oc port-forward svc/kuma-control-plane -n kuma-system 5683:5683

And then you can navigate to 127.0.0.1:5683OpenShift - 图6 to see the GUI.

You can use Kuma with oc to perform read and write operations on Kuma resources. For example:

  1. $ oc get meshes
  2. NAME          AGE
  3. default       1m

or you can enable mTLS on the default Mesh with:

  1. echo "apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4.   name: default
  5. spec:
  6.   mtls:
  7.     enabledBackend: ca-1
  8.     backends:
  9.     - name: ca-1
  10.       type: builtin" | oc apply -f -

Kuma ships with a read-only HTTP API that you can use to retrieve Kuma resources.

By default the HTTP API listens on port 5681. To access Kuma we need to first port-forward the API service with:

  1. $ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

And then you can navigate to 127.0.0.1:5681OpenShift - 图7 to see the HTTP API.

You can use the kumactl CLI to perform read-only operations on Kuma resources. The kumactl binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:

  1. $ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

and then run kumactl, for example:

  1. $ kumactl get meshes
  2. NAME          mTLS      METRICS      LOGGING   TRACING
  3. default       off       off          off       off

You can configure kumactl to point to any remote kuma-cp instance by running:

  1. $ kumactl config control-planes add --name=XYZ --address=http://{address-to-kuma}:5681

You will notice that Kuma automatically creates a Mesh entity with name default.

Kuma explicitly specifies UID for kuma-dp to avoid capturing traffic from kuma-dp itself. For that reason, special privilege has to be granted to application namespace:

  1. $ oc adm policy add-scc-to-user anyuid -z APPLICATION_SERVICE_ACCOUNT -n APPLICATION_NAMESPACE

4. Quickstart

Congratulations! You have successfully installed Kuma on OpenShift 🚀.

In order to start using Kuma, it’s time to check out the quickstart guide for Kubernetes deployments.