Install on OpenShift OKD
Important
This information refers to the previous helm install method for the Obcerv Platform. If you are looking to install using the more streamlined Kubernetes Off-the-Shelf (KOTS) method, see the updated installation overview.
If you are installing Obcerv in an Openshift OKD cluster, you need to perform the following tasks:
Install linkerd-cni and Linkerd Copied
Before installing Linkerd, you need to install linkerd-cni
first, which involves granting privileged Security Context Constraints (SCC) to a few service accounts in the Linkerd namespace.
To install linkerd-cni
, run:
%> oc new-project linkerd-cni
%> oc annotate ns linkerd-cni linkerd.io/inject=disabled
%> oc adm policy add-scc-to-user privileged -z linkerd-cni -n linkerd-cni
%> helm install linkerd2-cni --set destCNIBinDir=/var/lib/cni/bin --set destCNINetDir=/etc/kubernetes/cni/net.d --set privileged=true linkerd/linkerd2-cni -n linkerd-cni
Once done, install Linkerd by running:
%> oc new-project linkerd
%> oc annotate ns linkerd linkerd.io/inject=disabled
%> oc label ns linkerd linkerd.io/control-plane-ns=linkerd linkerd.io/is-control-plane=true config.linkerd.io/admission-webhooks=disabled
%> oc adm policy add-scc-to-user privileged -z default -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-destination -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-identity -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-proxy-injector -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-heartbeat -n linkerd
%> linkerd install --crds | kubectl apply -f -
%> linkerd install --linkerd-cni-enabled | kubectl apply -f -
Note
If you are using Linkerd version
edge-24.6.2
or above, you also need to enable proxy shutdown endpoints. To do this, run:%> linkerd install --set proxy.enableShutdownEndpoint=true | kubectl apply -f -
Create a custom SCC Copied
A new SCC that combines anyuid
and NET_BIND_SERVICE
is required to be created. This new SCC is needed to install NGINX and Obcerv.
To create the custom SCC, run:
%> cat <<'EOF' | oc create -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: anyuid-seccomp-net-bind
seccompProfiles:
- runtime/default
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
EOF
Install ingress-nginx Copied
The new SCC from Create a custom SCC is needed to install NGINX.
Run:
%> oc new-project nginx
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:nginx
%> helm install ingress-nginx ingress-nginx/ingress-nginx -n nginx
Install Obcerv with service mesh enabled Copied
The Obcerv collection-agent DaemonSet pods must run in privileged mode in order to use use hostPath
volume mounts
and hostPort
. The privileged SCC must be assigned to the agent’s service account.
# Replace <namespace> with the Obcerv namespace.
%> oc new-project <namespace>
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:<namespace>
%> oc adm policy add-scc-to-user privileged -z obcerv-ca-logs-<namespace> -n <namespace>
Once these have been done, you can then complete the install process for the Obcerv Operator and Obcerv Platform.