istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanup OpenShift instructions, removing outdated info (#7880)

This commit is contained in:
Jonh Wendell 2020-08-06 09:56:26 -04:00 committed by GitHub
parent f5b4bafcfe
commit 83482ee705
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
content/en/docs/setup/additional-setup/cni/index.md
View File

@ -157,47 +157,8 @@ The following table shows the required settings for many common Kubernetes envir
| IKS (IBM cloud) | _(none)_ | _(none)_ |
| EKS (AWS) | _(none)_ | _(none)_ |
| AKS (Azure) | _(none)_ | _(none)_ |
| Red Hat OpenShift 3.10+ | _(none)_ | _(none)_ |
| Red Hat OpenShift 4.2+ | `--set components.cni.namespace=kube-system --set values.cni.cniBinDir=/var/lib/cni/bin --set values.cni.cniConfDir=/etc/cni/multus/net.d --set values.cni.chained=false --set values.cni.cniConfFileName="istio-cni.conf" --set values.sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"=istio-cni` | _(none)_ |
#### Instructions for Istio 1.4.x and OpenShift
Due to a [limitation](https://github.com/istio/istio/issues/19196) in `istioctl` 1.4.x using `--set` with
escaped strings, a YAML file is necessary to set `values.sidecarInjectorWebhook.injectedAnnotations` to install Istio on OpenShift. Create the YAML file:
{{< text yaml >}}
cat <<'EOF' > cni-annotations.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
cni:
enabled: true
namespace: kube-system
values:
cni:
chained: false
cniBinDir: /var/lib/cni/bin
cniConfDir: /etc/cni/multus/net.d
cniConfFileName: istio-cni.conf
sidecarInjectorWebhook:
injectedAnnotations:
"k8s.v1.cni.cncf.io/networks": istio-cni
EOF
{{< /text >}}
Then pass this file as an argument to `istioctl`, for example:
{{< text bash >}}
$ istioctl install -f cni-annotations.yaml
{{< /text >}}
You can pass other command line arguments with `--set` if necessary.
{{< warning >}}
In order to deploy Istio 1.4 on OpenShift with CNI you need to use at least Istio 1.4.8.
{{< /warning >}}
### GKE setup
1. Refer to the procedure to [prepare a GKE cluster for Istio](/docs/setup/platform-setup/gke/) and

40
content/en/docs/setup/platform-setup/openshift/index.md
View File

@ -12,7 +12,7 @@ test: no
---
{{< warning >}}
OpenShift 4.1 and above use `nftables`, which is incompatible with the Istio `proxy-init` container. Make sure to use [CNI](/docs/setup/additional-setup/cni/) instead.
OpenShift is incompatible with the Istio `proxy-init` container. Make sure to install Istio using the [CNI](/docs/setup/additional-setup/cni/) plugin.
{{< /warning >}}
Follow these instructions to prepare an OpenShift cluster for Istio.
@ -34,44 +34,6 @@ After installation is complete, expose an OpenShift route for the ingress gatewa
$ oc -n istio-system expose svc/istio-ingressgateway --port=http2
{{< /text >}}
## Automatic sidecar injection
{{< tip >}}
This setup is not necessary if you are running OpenShift 4.1 or higher. If this is the case, skip to the next section.
{{< /tip >}}
Webhook and certificate signing requests support must be enabled for [automatic injection](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) to work. Modify the master configuration file on the master node for the cluster as follows.
{{< tip >}}
By default, the master configuration file can be found in `/etc/origin/master/master-config.yaml`.
{{< /tip >}}
In the same directory as the master configuration file, create a file named `master-config.patch` with the following contents:
{{< text yaml >}}
admissionConfig:
pluginConfig:
MutatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
ValidatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
{{< /text >}}
In the same directory, execute:
{{< text bash >}}
$ cp -p master-config.yaml master-config.yaml.prepatch
$ oc ex config patch master-config.yaml.prepatch -p "$(cat master-config.patch)" > master-config.yaml
$ master-restart api
$ master-restart controllers
{{< /text >}}
## Privileged security context constraints for application sidecars
The Istio sidecar injected into each application pod runs with user ID 1337, which is not allowed by default in OpenShift. To allow this user ID to be used, execute the following commands. Replace `<target-namespace>` with the appropriate namespace.