You are browsing documentation for an outdated version. See the
latest documentation here.
Kong Mesh with OpenShift
To install and run Kong Mesh on OpenShift, execute the
following steps:
Finally, you can follow the Quickstart to take it from here
and continue your Kong Mesh journey.
Prerequisites
You have a license for Kong Mesh.
1. Download Kong Mesh
To run Kong Mesh on OpenShift, you need to download a
compatible version of Kong Mesh for the machine from which
you will be executing the commands.
You can run the following script to automatically detect the operating system
and download Kong Mesh:
$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION=1.0.4 sh -
You can also download the distribution manually. Download a distribution for
the client host from where you will be executing the commands to access
Kubernetes:
Then, extract the archive with:
$ tar xvzf kong-mesh-1.0.4*.tar.gz
2. Run Kong Mesh
Note: Before running the Kong Mesh
control plane process in the next step — which is served by the
kuma-cp container — you need to have a valid
Kong Mesh license in place.
Navigate to the bin folder:
We suggest adding the kumactl executable to your PATH so that it’s always
available in every working directory. Alternatively, you can also create a link
in /usr/local/bin/ by executing:
$ ln -s ./kumactl /usr/local/bin/kumactl
Then, run the control plane on OpenShift with:
OpenShift 4.x
OpenShift 3.11
kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f -
Starting from version 4.1, OpenShift uses nftables instead of iptables. So,
using init container for redirecting traffic to the proxy no longer works.
Instead, we use kuma-cni, which can be installed with the --cni-enabled flag.
By default, MutatingAdmissionWebhook and ValidatingAdmissionWebhook are
disabled on OpenShift 3.11.
To make them work, add the following pluginConfig into
/etc/origin/master/master-config.yaml on the master node:
admissionConfig:
pluginConfig:
MutatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
ValidatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
After updating master-config.yaml, restart the cluster and install
control-plane:
$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f -
Where /path/to/license.json is the path to a valid Kong Mesh
license file on the file system.
This example will run Kong Mesh in standalone mode for a flat
deployment, but there are more advanced deployment modes
like multi-zone.
Note: It may take a while for OpenShift to start the
Kong Mesh resources. You can check the status by executing:
$ oc get pod -n kuma-system
3. Verify the Installation
Now that Kong Mesh (kuma-cp) has been installed in the newly
created kuma-system namespace, you can access the control plane using either
the GUI, oc, the HTTP API, or the CLI:
GUI (Read-Only)
oc (Read & Write)
HTTP API (Read-Only)
kumactl (Read-Only)
Kong Mesh ships with a read-only GUI that you can use to
retrieve Kong Mesh resources. By default, the GUI listens on
the API port 5681 and defaults to :5681/gui.
To access Kong Mesh, port-forward the API service with:
$ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681
Now you can navigate to 127.0.0.1:5681/gui to see the GUI.
You can use Kong Mesh with oc to perform
read and write operations on Kong Mesh resources. For
example:
$ oc get meshes
NAME AGE
default 1m
Or, you can enable mTLS on the default Mesh with:
$ echo "apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin" | oc apply -f -
Kong Mesh ships with a read-only HTTP API that you use
to retrieve Kong Mesh resources. By default,
the HTTP API listens on port 5681.
To access Kong Mesh, port-forward the API service with:
$ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681
Now you can navigate to 127.0.0.1:5681 to see the HTTP API.
You can use the kumactl CLI to perform read-only operations on
Kong Mesh resources. The kumactl binary is a client to
the Kong Mesh HTTP API. To use it, first port-forward the API
service with:
$ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681
Then run kumactl. For example:
$ kumactl get meshes
NAME mTLS METRICS LOGGING TRACING
default off off off off
You can configure kumactl to point to any remote kuma-cp instance by running:
$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681
You will notice that Kong Mesh automatically creates a Mesh
entity with the name default.
Note: Kong Mesh explicitly specifies a UID
for
kuma-dp sidecar to avoid capturing traffic from
kuma-dp itself. For that reason, a
nonroot
Security Context Constraint
has to be granted to the application namespace:
$ oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>
If the namespace is not configured properly, you will see the following error
on the
Deployment or
DeploymentConfig:
'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint:
[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'
4. Quickstart
Congratulations! You have successfully installed Kong Mesh.
Note: Before running the Kuma Demo in the Quickstart guide,
run the following command:
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo
One of the components in the demo requires root access, therefore it uses the
anyuid instead of the
nonroot permission.
After installation and the above command, the Kuma quickstart documentation
is fully compatible with Kong Mesh, except that you are
running Kong Mesh containers instead of the vanilla Kuma ones.
To start using Kong Mesh, see the
quickstart guide for Kubernetes deployments.
