istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve instructions on OpenShift (#6556)

This commit is contained in:
Jonh Wendell 2020-02-25 13:41:58 -05:00 committed by GitHub
parent 352ba575a8
commit 7e210bd2f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
content/en/docs/setup/additional-setup/cni/index.md
View File

@ -68,6 +68,7 @@ The following table shows all the options that the `istio-cni` configuration sup
| `cniConfFileName` | | | Leave unset to auto-find the first file in the `cni-conf-dir` (as `kubelet` does). Primarily used for testing `install-cni` plugin configuration. If set, `install-cni` will inject the plugin configuration into this file in the `cni-conf-dir`. |
| `psp_cluster_role` | | | This value refers to a `ClusterRole` and can be used to create a `RoleBinding` in the namespace of `istio-cni`. This is useful if you use [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy) and want to allow `istio-cni` to run as `priviliged` Pods. |
| `podAnnotations` | | `{}` | Additional custom annotations to be set on pod level. |
| `chained` | `true` or `false` | `true` | Whether to deploy the configuration file as a plugin chain or as a standalone file in `cni-conf-dir`. Some Kubernetes flavors (e.g. OpenShift) do not support the chain approach, set to `false` if this is the case. |
These options are accessed through `values.cni.<option-name>` in `istioctl manifest` commands, either as a `--set` flag,
or the corresponding path in a custom overlay file.
@ -125,7 +126,7 @@ The following table shows the required settings for many common Kubernetes envir
| EKS (AWS) | _(none)_ | _(none)_ |
| AKS (Azure) | _(none)_ | _(none)_ |
| Red Hat OpenShift 3.10+ | _(none)_ | _(none)_ |
| Red Hat OpenShift 4.2+ | `--set components.cni.namespace=kube-system --set values.cni.cniBinDir=/var/lib/cni/bin --set values.cni.cniConfDir=/var/run/multus/cni/net.d` | _(none)_ |
| Red Hat OpenShift 4.2+ | `--set components.cni.namespace=kube-system --set values.cni.cniBinDir=/var/lib/cni/bin --set values.cni.cniConfDir=/etc/cni/multus/net.d --set values.cni.chained=false --set values.cni.cniConfFileName="istio-cni.conf"` | _(none)_ |
### GKE setup

29
content/en/docs/setup/platform-setup/openshift/index.md
View File

@ -21,7 +21,7 @@ by running the command below. Make sure to replace `istio-system` if you are
deploying Istio in another namespace:
{{< text bash >}}
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n istio-system
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
{{< /text >}}
Now you can install Istio using the [CNI](/docs/setup/additional-setup/cni/) instructions.
@ -75,13 +75,32 @@ $ master-restart controllers
The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace `<target-namespace>` with the appropriate namespace.
{{< text bash >}}
$ oc adm policy add-scc-to-group privileged system:serviceaccounts -n <target-namespace>
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts -n <target-namespace>
$ oc adm policy add-scc-to-group privileged system:serviceaccounts:<target-namespace>
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:<target-namespace>
{{< /text >}}
When removing your application, remove the permissions as follows.
{{< text bash >}}
$ oc adm policy remove-scc-from-group privileged system:serviceaccounts -n <target-namespace>
$ oc adm policy remove-scc-from-group anyuid system:serviceaccounts -n <target-namespace>
$ oc adm policy remove-scc-from-group privileged system:serviceaccounts:<target-namespace>
$ oc adm policy remove-scc-from-group anyuid system:serviceaccounts:<target-namespace>
{{< /text >}}
## Additional requirements for the application namespace
CNI on OpenShift is managed by `Multus`, and it requires a `NetworkAttachmentDefinition` to be present in the application namespace in order to invoke the `istio-cni` plugin. Execute the following commands. Replace `<target-namespace>` with the appropriate namespace.
{{< text bash >}}
$ cat <<EOF | oc -n <target-namespace> create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: istio-cni
EOF
{{< /text >}}
When removing your application, remove the `NetworkAttachmentDefinition` as follows.
{{< text bash >}}
$ oc -n <target-namespace> delete NetworkAttachmentDefinition istio-cni
{{< /text >}}