Install on OpenShift OKD
Important
This information refers to the previous helm install method for the ITRS Analytics Platform. If you are looking to install using the more streamlined Kubernetes Off-the-Shelf (KOTS) method, see the updated installation overview.
If you are installing ITRS Analytics in an Openshift OKD cluster, you need to perform the following tasks:
Install linkerd-cni and Linkerd Copied
Before installing Linkerd, you need to install linkerd-cni
first, which involves granting privileged Security Context Constraints (SCC) to a few service accounts in the Linkerd namespace.
To install linkerd-cni
, run:
%> oc new-project linkerd-cni
%> oc annotate ns linkerd-cni linkerd.io/inject=disabled
%> oc adm policy add-scc-to-user privileged -z linkerd-cni -n linkerd-cni
%> helm install linkerd2-cni --set destCNIBinDir=/var/lib/cni/bin --set destCNINetDir=/etc/kubernetes/cni/net.d --set privileged=true linkerd/linkerd2-cni -n linkerd-cni
Once done, install Linkerd by running:
%> oc new-project linkerd
%> oc annotate ns linkerd linkerd.io/inject=disabled
%> oc label ns linkerd linkerd.io/control-plane-ns=linkerd linkerd.io/is-control-plane=true config.linkerd.io/admission-webhooks=disabled
%> oc adm policy add-scc-to-user privileged -z default -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-destination -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-identity -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-proxy-injector -n linkerd
%> oc adm policy add-scc-to-user privileged -z linkerd-heartbeat -n linkerd
%> linkerd install --crds | kubectl apply -f -
%> linkerd install --linkerd-cni-enabled | kubectl apply -f -
Note
If you are using Linkerd version
edge-24.6.2
or above, you also need to enable proxy shutdown endpoints. To do this, run:%> linkerd install --set proxy.enableShutdownEndpoint=true | kubectl apply -f -
Create a custom SCC Copied
A new SCC that combines anyuid
and NET_BIND_SERVICE
is required to be created. This new SCC is needed to install NGINX and ITRS Analytics.
To create the custom SCC, run:
%> cat <<'EOF' | oc create -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: anyuid-seccomp-net-bind
seccompProfiles:
- runtime/default
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
EOF
Install ingress-nginx Copied
The new SCC from Create a custom SCC is needed to install NGINX.
Run:
%> oc new-project nginx
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:nginx
%> helm install ingress-nginx ingress-nginx/ingress-nginx -n nginx
Install ITRS Analytics with service mesh enabled Copied
The ITRS Analytics collection-agent DaemonSet pods must run in privileged mode in order to use use hostPath
volume mounts
and hostPort
. The privileged SCC must be assigned to the agent’s service account.
# Replace <namespace> with the ITRS Analytics namespace.
%> oc new-project <namespace>
%> oc adm policy add-scc-to-group anyuid-seccomp-net-bind system:serviceaccounts:<namespace>
%> oc adm policy add-scc-to-user privileged -z obcerv-ca-logs-<namespace> -n <namespace>
Once these have been done, you can then complete the install process for the ITRS Analytics Operator and ITRS Analytics Platform.