OpenShift

To install and run Kuma on OpenShift execute the following steps:

Finally, you can follow the Quickstart to take it from here and continue your Kuma journey.

1. Download Kuma

To run Kuma on Kubernetes, you need to download the Kuma cli (kumactl) on your machine.

You can run the following script to automatically detect the operating system and download Kuma:

  1. curl -L https://kuma.io/installer.sh | VERSION=2.1.1 sh -

You can omit the VERSION variable to install the latest version.

You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access Kubernetes:

and extract the archive with tar xvzf kuma-2.1.1.tar.gz

Once downloaded, you will find the contents of Kuma in the kuma-2.1.1 folder. In this folder, you will find - among other files - the bin directory that stores the executables for Kuma, including the CLI client kumactl.

Note: On Kubernetes - of all the Kuma binaries in the bin folder - we only need kumactl.

So we enter the bin folder by executing: cd kuma-2.1.1/bin

We suggest adding the kumactl executable to your PATH (by executing: PATH=$(pwd):$PATH) so that it’s always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/ by executing:

  1. ln -s $PWD/kuma-2.1.1/bin/kumactl /usr/local/bin/kumactl

2. Run Kuma

We can install and run Kuma:

  1. ./kumactl install control-plane --cni-enabled | oc apply -f -

Starting from version 4.1 OpenShift utilizes nftables instead of iptables. So using init container for redirecting traffic to the proxy no longer works. Instead, we use the --cni-enabled flag to install the kuma-cni .

By default MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11. In order to make it work add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:

  1. admissionConfig:
  2. pluginConfig:
  3. MutatingAdmissionWebhook:
  4. configuration:
  5. apiVersion: apiserver.config.k8s.io/v1alpha1
  6. kubeConfigFile: /dev/null
  7. kind: WebhookAdmission
  8. ValidatingAdmissionWebhook:
  9. configuration:
  10. apiVersion: apiserver.config.k8s.io/v1alpha1
  11. kubeConfigFile: /dev/null
  12. kind: WebhookAdmission

After updating master-config.yaml restart the cluster and install control-plane:

  1. ./kumactl install control-plane | oc apply -f -

This example will run Kuma in standalone mode for a “flat” deployment, but there are more advanced deployment modes like “multi-zone”.

It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:

  1. oc get pod -n kuma-system

3. Use Kuma

Kuma (kuma-cp) will be installed in the newly created kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc, the HTTP API, or the CLI:

Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on the API port and defaults to :5681/gui.

To access Kuma we need to first port-forward the API service with:

  1. oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

And then navigate to 127.0.0.1:5681/gui to see the GUI.

You can use Kuma with oc to perform read and write operations on Kuma resources. For example:

  1. oc get meshes
  2. # NAME AGE
  3. # default 1m

or you can enable mTLS on the default Mesh with:

  1. echo "apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. mtls:
  7. enabledBackend: ca-1
  8. backends:
  9. - name: ca-1
  10. type: builtin" | oc apply -f -

Kuma ships with a read-only HTTP API that you can use to retrieve Kuma resources.

By default the HTTP API listens on port 5681. To access Kuma we need to first port-forward the API service with:

  1. oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

And then you can navigate to 127.0.0.1:5681 to see the HTTP API.

You can use the kumactl CLI to perform read-only operations on Kuma resources. The kumactl binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:

  1. oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

and then run kumactl, for example:

  1. kumactl get meshes
  2. # NAME mTLS METRICS LOGGING TRACING
  3. # default off off off off

You can configure kumactl to point to any zone kuma-cp instance by running:

  1. kumactl config control-planes add --name=XYZ --address=http://{address-to-kuma}:5681

You will notice that Kuma automatically creates a Mesh entity with name default.

Kuma explicitly specifies UID for kuma-dp sidecar to avoid capturing traffic from kuma-dp itself. For that reason, nonroot Security Context Constraint has to be granted to the application namespace:

  1. oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>

If namespace is not configured properly, we will see following error on the Deployment or DeploymentConfig

  1. 'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: [spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'

4. Quickstart

Congratulations! You have successfully installed Kuma on OpenShift 🚀.

In order to start using Kuma, it’s time to check out the quickstart guide for Kubernetes deployments.

Before running Kuma Demo in the Quickstart, remember to run the following command

  1. oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo

In case of Kuma Demo, one of the component requires root access therefore we use anyuid instead of nonroot permission.