Install on OpenShift OKD
Important
This information refers to the previous helm install method for the Obcerv Platform. If you are looking to install using the more streamlined Kubernetes Off-the-Shelf (KOTS) method, see the updated installation overview.
If you are installing Obcerv in an Openshift OKD cluster, you need to perform the following tasks:
Install linkerd-cni and Linkerd Copied
Before installing Linkerd, you need to install linkerd-cni first, which involves granting privileged Security Context Constraints (SCC) to a few service accounts in the Linkerd namespace.
To install linkerd-cni, run:
%> oc new-project linkerd-cni
%> oc annotate ns linkerd-cni linkerd.io/inject=disabled
%> oc adm policy add-scc-to-user privileged -z linkerd-cni -n linkerd-cni
%> helm install linkerd2-cni --set destCNIBinDir=/var/lib/cni/bin --set destCNINetDir=/etc/kubernetes/cni/net.d --set privileged=true linkerd/linkerd2-cni -n linkerd-cni
Once done, install Linkerd by running:
%> oc new-project linkerd
%> oc annotate ns linkerd linkerd.io/inject=disabled
%> oc label ns linkerd linkerd.io/control-plane-ns=linkerd linkerd.io/is-control-plane=true config.linkerd.io/admission-webhooks=disabled
%> oc adm policy add-scc-to-user privileged -z default -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-destination -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-identity -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-proxy-injector -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-heartbeat -n linkerd
%> linkerd install --crds | kubectl apply -f -
%> linkerd install --linkerd-cni-enabled | kubectl apply -f -
Note
If you are using Linkerd version
edge-24.6.2or above, you also need to enable proxy shutdown endpoints. To do this, run:%> linkerd install --set proxy.enableShutdownEndpoint=true | kubectl apply -f -
Create a custom SCC Copied
A new SCC that combines anyuid and NET_BIND_SERVICE is required to be created. This new SCC is needed to install NGINX and Obcerv.
To create the custom SCC, run:
%> cat <<'EOF' | oc create -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: anyuid-seccomp-net-bind
seccompProfiles:
- runtime/default
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
EOF
Install ingress-nginx Copied
The new SCC from Create a custom SCC is needed to install NGINX.
Run:
%> oc new-project nginx
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:nginx
%> helm install ingress-nginx ingress-nginx/ingress-nginx -n nginx
Install Obcerv with service mesh enabled Copied
So that the CA can collect logs, it needs special permissions to use hostPath volume mounts. This requires that CA pods be run in privileged mode. To that effect, the service account used by these pods to read logs needs the privileged SCC assigned.
Run:
%> kubectl create ns <namespace>
... docker secret creation instructions ...
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:<namespace>
%> oc adm policy add-scc-to-user privileged -z obcerv-ca-logs-<namespace> -n <namespace>
Once these have been done, you can then complete the install process for the Obcerv Platform and Obcerv Operator.