You are browsing documentation for an older version.
See the latest documentation here.
Kong Mesh with OpenShift
To install and run Kong Mesh on OpenShift:
- Download Kong Mesh
- Run Kong Mesh
- Verify the Installation
Finally, you can follow the Quickstart to take it from here
and continue your Kong Mesh journey.
Prerequisites
You have a license for Kong Mesh.
1. Download Kong Mesh
To run Kong Mesh on OpenShift, you need to download a
compatible version of Kong Mesh for the machine from which
you will be executing the commands.
You can run the following script to automatically detect the operating system
and download Kong Mesh:
$ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION=1.2.6 sh -
You can also download the distribution manually. Download a distribution for
the client host from where you will be executing the commands to access
Kubernetes:
Then, extract the archive with:
$ tar xvzf kong-mesh-1.2.6*.tar.gz
2. Run Kong Mesh
Navigate to the bin
folder:
We suggest adding the kumactl
executable to your PATH
so that it’s always
available in every working directory. Alternatively, you can also create a link
in /usr/local/bin/
by executing:
$ ln -s ./kumactl /usr/local/bin/kumactl
Then, run the control plane on OpenShift with:
OpenShift 4.x
OpenShift 3.11
kumactl install control-plane --cni-enabled --license-path=/path/to/license.json | oc apply -f -
Starting from version 4.1, OpenShift uses nftables
instead of iptables
. So,
using init container for redirecting traffic to the proxy no longer works.
Instead, we use kuma-cni
, which can be installed with the --cni-enabled
flag.
By default, MutatingAdmissionWebhook
and ValidatingAdmissionWebhook
are
disabled on OpenShift 3.11.
To make them work, add the following pluginConfig
into
/etc/origin/master/master-config.yaml
on the master node:
admissionConfig:
pluginConfig:
MutatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
ValidatingAdmissionWebhook:
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kubeConfigFile: /dev/null
kind: WebhookAdmission
After updating master-config.yaml
, restart the cluster and install
control-plane
:
$ ./kumactl install control-plane --license-path=/path/to/license.json | oc apply -f -
Where /path/to/license.json
is the path to a valid Kong Mesh
license file on the file system.
This example will run Kong Mesh in standalone mode for a flat
deployment, but there are more advanced deployment modes
like multi-zone.
It may take a while for OpenShift to start the
Kong Mesh resources. You can check the status by running:
$ oc get pod -n kong-mesh-system
3. Verify the Installation
Now you can access the control plane with the GUI, oc
, the HTTP API, or the CLI:
GUI (Read-Only)
oc (Read & Write)
HTTP API (Read-Only)
kumactl (Read-Only)
Kong Mesh ships with a read-only GUI that you can use to
retrieve Kong Mesh resources. By default, the GUI listens on
the API port 5681
and defaults to :5681/gui
.
To access Kong Mesh, port-forward the API service with:
$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681
Navigate to 127.0.0.1:5681/gui
to see the GUI.
You can use Kong Mesh with oc
to perform
read and write operations on Kong Mesh resources. For
example:
$ oc get meshes
NAME AGE
default 1m
Or, you can enable mTLS on the default
Mesh with:
$ echo "apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin" | oc apply -f -
Kong Mesh ships with a read-only HTTP API that you use
to retrieve Kong Mesh resources. By default,
the HTTP API listens on port 5681
.
To access Kong Mesh, port-forward the API service with:
$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681
Now you can navigate to 127.0.0.1:5681
to see the HTTP API.
You can use the kumactl
CLI to perform read-only operations on
Kong Mesh resources. The kumactl
binary is a client to
the Kong Mesh HTTP API. To use it, first port-forward the API
service with:
$ oc port-forward svc/kong-mesh-control-plane -n kong-mesh-system 5681:5681
Then run kumactl
. For example:
$ kumactl get meshes
NAME mTLS METRICS LOGGING TRACING
default off off off off
You can configure kumactl
to point to any remote kuma-cp
instance by running:
$ kumactl config control-planes add --name=XYZ --address=http://{address-to-kong-mesh}:5681
Notice that Kong Mesh automatically creates a Mesh
entity with the name default
.
Kong Mesh explicitly specifies a UID
for the kuma-dp
sidecar to avoid capturing traffic from
kuma-dp
itself. You must grant a nonroot
[Security Context Constraint]
(https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html)
to the application namespace:
$ oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>
If the namespace is not configured properly, you will see the following error
on the Deployment
or DeploymentConfig
:
'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint:
[spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'
4. Quickstart
Congratulations! You have successfully installed Kong Mesh.
Before running the Kuma Demo in the Quickstart guide,
run the following command:
$ oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo
One of the components in the demo requires root access, therefore it uses the
anyuid
instead of the nonroot
permission.
The Kuma quickstart documentation
is fully compatible with Kong Mesh, except that you are
running Kong Mesh containers instead of Kuma containers.
To start using Kong Mesh, see the
quickstart guide for Kubernetes deployments.