Install on OpenShift OKD

Important

This information refers to the previous helm install method for the Obcerv Platform. If you are looking to install using the more streamlined Kubernetes Off-the-Shelf (KOTS) method, see the updated installation overview.

If you are installing Obcerv in an Openshift OKD cluster, you need to perform the following tasks:

Install linkerd-cni and Linkerd Copied

Before installing Linkerd, you need to install linkerd-cni first, which involves granting privileged Security Context Constraints (SCC) to a few service accounts in the Linkerd namespace.

To install linkerd-cni, run:

%> oc new-project linkerd-cni
%> oc annotate ns linkerd-cni linkerd.io/inject=disabled
%> oc adm policy add-scc-to-user privileged -z linkerd-cni -n linkerd-cni
%> helm install linkerd2-cni --set destCNIBinDir=/var/lib/cni/bin --set destCNINetDir=/etc/kubernetes/cni/net.d --set privileged=true linkerd/linkerd2-cni -n linkerd-cni

Once done, install Linkerd by running:

%> oc new-project linkerd
%> oc annotate ns linkerd linkerd.io/inject=disabled
%> oc label ns linkerd linkerd.io/control-plane-ns=linkerd linkerd.io/is-control-plane=true config.linkerd.io/admission-webhooks=disabled
%> oc adm policy add-scc-to-user privileged -z default -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-destination -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-identity -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-proxy-injector -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-heartbeat -n linkerd
%> linkerd install --crds  | kubectl apply -f -
%> linkerd install --linkerd-cni-enabled | kubectl apply -f -

Note

If you are using Linkerd version edge-24.6.2 or above, you also need to enable proxy shutdown endpoints. To do this, run:

%> linkerd install --set proxy.enableShutdownEndpoint=true | kubectl apply -f -

Create a custom SCC Copied

A new SCC that combines anyuid and NET_BIND_SERVICE is required to be created. This new SCC is needed to install NGINX and Obcerv.

To create the custom SCC, run:

%> cat <<'EOF' | oc create -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: anyuid-seccomp-net-bind
seccompProfiles:
- runtime/default
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
EOF

Install ingress-nginx Copied

The new SCC from Create a custom SCC is needed to install NGINX.

Run:

%> oc new-project nginx
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:nginx
%> helm install ingress-nginx ingress-nginx/ingress-nginx -n nginx

Install Obcerv with service mesh enabled Copied

The Obcerv collection-agent DaemonSet pods must run in privileged mode in order to use use hostPath volume mounts and hostPort. The privileged SCC must be assigned to the agent’s service account.

# Replace <namespace> with the Obcerv namespace.
%> oc new-project <namespace>
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:<namespace>
%> oc adm policy add-scc-to-user privileged -z obcerv-ca-logs-<namespace> -n <namespace>

Once these have been done, you can then complete the install process for the Obcerv Operator and Obcerv Platform.

["Obcerv"] ["User Guide", "Technical Reference"]

Was this topic helpful?