-
Download the archive for your operating system from the Minishift v1.25.0 Release page and extract its contents
-
Copy the contents of the directory to your preferred location.
-
Add the minishift binary to your PATH environment variable.
Run the following command to verify your minishift is configured correctly:
# returns minishift v1.25.0+90fb23e
minishift version
# make sure the profile is set correctly
minishift profile set knative
# Pinning to the right needed OpenShift version in this case v3.11.0
minishift config set openshift-version v3.11.0
# memory for the vm
minishift config set memory 8GB
# the vCpus for the vm
minishift config set cpus 4
# extra disk size for the vm
minishift config set disk-size 50g
# caching the images that will be downloaded during app deployments
minishift config set image-caching true
# Add new user called admin with password with role cluster-admin
minishift addons enable admin-user
# Allow the containers to be run with uid 0
minishift addons enable anyuid
# Start minishift
minishift start
eval $(minishift docker-env) && eval $(minishift oc-env)
#!/bin/bash
# Enable admission controller webhooks
# The configuration stanzas below look weird and are just to workaround
# https://bugzilla.redhat.com/show_bug.cgi?id=1635918
minishift openshift config set --target=kube --patch '{
"admissionConfig": {
"pluginConfig": {
"ValidatingAdmissionWebhook": {
"configuration": {
"apiVersion": "apiserver.config.k8s.io/v1alpha1",
"kind": "WebhookAdmission",
"kubeConfigFile": "/dev/null"
}
},
"MutatingAdmissionWebhook": {
"configuration": {
"apiVersion": "apiserver.config.k8s.io/v1alpha1",
"kind": "WebhookAdmission",
"kubeConfigFile": "/dev/null"
}
}
}
}
}'
-
wait for some time after this step to allow OpenShift to be restarted automatically. e.g. you can try doing
oc login -u admin -p admin
until you are able to login again.
SCCs (Security Context Constraints) are the precursor to the PSP (Pod Security Policy) mechanism in Kubernetes.
oc project myproject # Set privileged scc to default SA in myproject oc adm policy add-scc-to-user privileged -z default # Automatic Istio sidecar injection oc label namespace myproject istio-injection=enabled oc get namespace --show-labels #(1)
-
This should show the myproject namespace with istio-injection=enabled label
# Grant the necessary privileges to the service accounts Istio will use:
oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z default -n istio-system
oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
oc adm policy add-cluster-role-to-user cluster-admin -z istio-galley-service-account -n istio-system
# Deploy Istio
curl -L https://storage.googleapis.com/knative-releases/serving/latest/istio.yaml
Important
|
The Istio v1.0.1 and above release automatic sidecar injection has removed #/bin/bash $ oc get cm istio-sidecar-injector -n istio-system -oyaml | sed -e 's/securityContext:/securityContext:\\n privileged: true/' | oc replace -f - Please run this command only once to avoid multiple additions |
-
This will setup the required OpenShift security policies that are required to deploy and make Istio functional
Wait until all the pods on istio-system are up and running, you can verify it with the command oc get pods -w -n istio-system
.
Knative Serving supports deploying of serverless functions and applications on Kubernetes.
#/bin/bash
# Grant the necessary privileges to the service accounts Knative will use:
oc adm policy add-scc-to-user anyuid -z build-controller -n knative-build
oc adm policy add-scc-to-user anyuid -z controller -n knative-serving
oc adm policy add-scc-to-user anyuid -z autoscaler -n knative-serving
oc adm policy add-cluster-role-to-user cluster-admin -z build-controller -n knative-build
oc adm policy add-cluster-role-to-user cluster-admin -z controller -n knative-serving
# Deploy Knative serving
curl -L https://storage.googleapis.com/knative-releases/serving/latest/release-no-mon.yaml
-
This will setup the required OpenShift security policies that are required to deploy and make Knative functional
Wait until all the pods in the knative-serving are up and running, you can verify it with the command oc get pods -n knative-serving -w
and oc get pods -n knative-build -w
.
Tip
|
Add the minishift ingress CIDR to the OS routing table to allow calling Knative services using LoadBalancer IP: # Only for macOS sudo route -n add -net $(minishift openshift config view | grep ingressIPNetworkCIDR | awk '{print $NF}') $(minishift ip) # Only for Linux sudo ip route add $(minishift openshift config view | grep ingressIPNetworkCIDR | sed 's/\r$//' | awk '{print $NF}') via $(minishift ip) |
oc project myproject export IP_ADDRESS=$(oc get svc knative-ingressgateway -n istio-system -o 'jsonpath={.status.loadBalancer.ingress[0].ip}') echo ' apiVersion: serving.knative.dev/v1alpha1 # Current version of Knative kind: Service metadata: name: helloworld-go # The name of the app spec: runLatest: configuration: revisionTemplate: spec: container: image: gcr.io/knative-samples/helloworld-go # The URL to the image of the app env: - name: TARGET # The environment variable printed out by the sample app value: "Go Sample v1" ' | oc create -f - # Wait for the hello pod to enter its `Running` state oc get pod --watch # This should output 'Hello World: Go Sample v1!' curl -H "Host: helloworld-go.myproject.example.com" http://$IP_ADDRESS
The curl above should return "Hello World: Go Sample v1!".
If you’d like to view the available sample apps and deploy one of your choosing, head to the sample apps repo.