mirror of https://github.com/istio/istio.io.git
zh-translation: docs/setup/platform-setup/openshift/index.md (#5423)
* zh-translation: docs/setup/platform-setup/openshift/index.md * Add anchor for sections; Add /zh to alias links * add /zh prefix to all links
This commit is contained in:
Jakes Lee
Istio Automation
parent
1d06bc1356
commit
57e8da18aa
|
|
@ -1,50 +1,49 @@
|
|||
---
|
||||
title: OpenShift
|
||||
description: Instructions to setup an OpenShift cluster for Istio.
|
||||
description: 对 OpenShift 集群进行配置以便安装运行 Istio。
|
||||
weight: 24
|
||||
skip_seealso: true
|
||||
aliases:
|
||||
- /docs/setup/kubernetes/prepare/platform-setup/openshift/
|
||||
- /docs/setup/kubernetes/platform-setup/openshift/
|
||||
- /zh/docs/setup/kubernetes/prepare/platform-setup/openshift/
|
||||
- /zh/docs/setup/kubernetes/platform-setup/openshift/
|
||||
keywords: [platform-setup,openshift]
|
||||
---
|
||||
|
||||
{{< warning >}}
|
||||
OpenShift 4.1 and above use `nftables`, which is incompatible with the Istio `proxy-init` container. Make sure to use [CNI](/docs/setup/additional-setup/cni/) instead.
|
||||
OpenShift 4.1 及以上版本使用的 `nftables` 与 Istio 的 `proxy-init` 容器不兼容。请使用 [CNI](/zh/docs/setup/additional-setup/cni/) 插件代替。
|
||||
{{< /warning >}}
|
||||
|
||||
Follow these instructions to prepare an OpenShift cluster for Istio.
|
||||
依照本指南对 OpenShift 集群进行配置以便安装运行 Istio。
|
||||
|
||||
By default, OpenShift doesn't allow containers running with user ID 0.
|
||||
You must enable containers running with UID 0 for Istio's service accounts
|
||||
by running the command below. Make sure to replace `istio-system` if you are
|
||||
deploying Istio in another namespace:
|
||||
默认情况下,OpenShift 不允许容器使用 User ID(UID) 0 来运行。通过以下命令可以让 Istio 的服务账户(Service Accounts)以 UID 0 来运行容器
|
||||
(如果你将 Istio 部署到其它命名空间,请注意替换 `istio-system` ):
|
||||
|
||||
{{< text bash >}}
|
||||
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n istio-system
|
||||
{{< /text >}}
|
||||
|
||||
Now you can install Istio using the [CNI](/docs/setup/additional-setup/cni/) instructions.
|
||||
现在你可以按照 [CNI](/zh/docs/setup/additional-setup/cni/) 的操作来安装 Istio。
|
||||
|
||||
After installation is complete, expose an OpenShift route for the ingress gateway.
|
||||
安装完成后,为 ingress 网关暴露一个 OpenShift 路由。
|
||||
|
||||
{{< text bash >}}
|
||||
$ oc -n istio-system expose svc/istio-ingressgateway --port=80
|
||||
{{< /text >}}
|
||||
|
||||
## Automatic sidecar injection
|
||||
## 自动 sidecar 注入{#automatic-sidecar-injection}
|
||||
|
||||
{{< tip >}}
|
||||
This setup is not necessary if you are running OpenShift 4.1 or higher. If this is the case, skip to the next section.
|
||||
如果你使用的是 OpenShift 4.1 或更高的版本,以下配置不是必须的,可以跳到下一章节。
|
||||
{{< /tip >}}
|
||||
|
||||
Webhook and certificate signing requests support must be enabled for [automatic injection](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) to work. Modify the master configuration file on the master node for the cluster as follows.
|
||||
要使[自动注入](/zh/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection)能正常工作必须启用 Webhook 和证书签名请求(CSR)的支持。
|
||||
请按以下说明在集群 master 节点修改 master 配置文件。
|
||||
|
||||
{{< tip >}}
|
||||
By default, the master configuration file can be found in `/etc/origin/master/master-config.yaml`.
|
||||
默认情况下,master 配置文件的路径是 `/etc/origin/master/master-config.yaml`。
|
||||
{{< /tip >}}
|
||||
|
||||
In the same directory as the master configuration file, create a file named `master-config.patch` with the following contents:
|
||||
在 master 配置文件相同目录下创建文件 `master-config.patch`,内容如下:
|
||||
|
||||
{{< text yaml >}}
|
||||
admissionConfig:
|
||||
|
|
@ -61,7 +60,7 @@ admissionConfig:
|
|||
kind: WebhookAdmission
|
||||
{{< /text >}}
|
||||
|
||||
In the same directory, execute:
|
||||
然后在该目录下执行:
|
||||
|
||||
{{< text bash >}}
|
||||
$ cp -p master-config.yaml master-config.yaml.prepatch
|
||||
|
|
@ -70,16 +69,16 @@ $ master-restart api
|
|||
$ master-restart controllers
|
||||
{{< /text >}}
|
||||
|
||||
## Privileged security context constraints for application sidecars
|
||||
## Sidecar 应用的专用安全上下文约束(SCC){#privileged-security-context-constraints-for-application-sidecars}
|
||||
|
||||
The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace `<target-namespace>` with the appropriate namespace.
|
||||
OpenShift 默认是不允许 Istio sidecar 注入到每个应用 Pod 中以 ID 为 1377 的用户运行的。要允许使用该 UID 运行,需要执行以下命令(注意替换 `<target-namespace>` 为适当的命名空间):
|
||||
|
||||
{{< text bash >}}
|
||||
$ oc adm policy add-scc-to-group privileged system:serviceaccounts -n <target-namespace>
|
||||
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n <target-namespace>
|
||||
{{< /text >}}
|
||||
|
||||
When removing your application, remove the permissions as follows.
|
||||
当需要移除应用时,请按以下操作移除权限:
|
||||
|
||||
{{< text bash >}}
|
||||
$ oc adm policy remove-scc-from-group privileged system:serviceaccounts -n <target-namespace>
|
||||
|
|
|
|||
Loading…
Reference in New Issue