From 602f07f6fb6da07f3787ba0e965e8b5b954f1f50 Mon Sep 17 00:00:00 2001 From: David Freeman Date: Wed, 13 May 2020 05:24:09 -0700 Subject: [PATCH 1/4] Add SCC changes for Openshift I had issues with getting the pods up and running. turns out it was the secure contexts, and once I set the secure context to anyuid all pods were able to start successfully. --- documentation/modules/ROOT/pages/1setup.adoc | 22 ++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/documentation/modules/ROOT/pages/1setup.adoc b/documentation/modules/ROOT/pages/1setup.adoc index 6202911c..d9a294fc 100644 --- a/documentation/modules/ROOT/pages/1setup.adoc +++ b/documentation/modules/ROOT/pages/1setup.adoc @@ -116,6 +116,24 @@ kubectl config set-context $(kubectl config current-context) --namespace=istio-s IMPORTANT: `istio-demo.yaml` enables policy enforcement by default which is required in some sections of the tutorial. Please refer to https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ if you are not using this file. +If using OpenShift, secure contexts will need to be modified to allow ingress, egress, and Prmetheus to run. + +[.console-input] +[source,bash,subs="attributes+,+macros"] +--- +oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system^C +oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system +oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system +--- + Wait for Istio's components to be ready [.console-input] @@ -149,7 +167,7 @@ Istio is supported in OpenShift by Red Hat OpenShift Service Mesh operator. To install it, you need to follow the instructions written in: https://docs.openshift.com/container-platform/4.3/service_mesh/service_mesh_install/preparing-ossm-installation.html -It is important that after you finish with the installation, all the required pods are delpyed in `istio-system` namespace: +It is important that after you finish with the installation, all the required pods are deployed in `istio-system` namespace: [.console-input] [source,bash,subs="attributes+,+macros"] @@ -175,4 +193,4 @@ kiali-78d9c5b87c-snjzh 0/1 Running 0 2 prometheus-6dff867c97-gr2n5 2/2 Running 0 28h ---- -- -==== \ No newline at end of file +==== From 558f54b7bfde2f46ca1ec0b1c6e3c544e3cc36ac Mon Sep 17 00:00:00 2001 From: David Freeman Date: Wed, 13 May 2020 05:29:06 -0700 Subject: [PATCH 2/4] fixed spelling fixed spelling of Prometheus --- documentation/modules/ROOT/pages/1setup.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/ROOT/pages/1setup.adoc b/documentation/modules/ROOT/pages/1setup.adoc index d9a294fc..16721705 100644 --- a/documentation/modules/ROOT/pages/1setup.adoc +++ b/documentation/modules/ROOT/pages/1setup.adoc @@ -116,7 +116,7 @@ kubectl config set-context $(kubectl config current-context) --namespace=istio-s IMPORTANT: `istio-demo.yaml` enables policy enforcement by default which is required in some sections of the tutorial. Please refer to https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ if you are not using this file. -If using OpenShift, secure contexts will need to be modified to allow ingress, egress, and Prmetheus to run. +If using OpenShift, secure contexts will need to be modified to allow ingress, egress, and Prometheus to run. [.console-input] [source,bash,subs="attributes+,+macros"] From 6da1b4fda39a9ae4eadd23caf0883a7ebfd4f01d Mon Sep 17 00:00:00 2001 From: David Freeman Date: Wed, 13 May 2020 05:42:17 -0700 Subject: [PATCH 3/4] Simplify Found that the official Openshift Istio documentation mentions executing a single command to modify security contexts for all service accounts within a namespace. https://istio.io/docs/setup/platform-setup/openshift/ --- documentation/modules/ROOT/pages/1setup.adoc | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/documentation/modules/ROOT/pages/1setup.adoc b/documentation/modules/ROOT/pages/1setup.adoc index 16721705..73bc8c9c 100644 --- a/documentation/modules/ROOT/pages/1setup.adoc +++ b/documentation/modules/ROOT/pages/1setup.adoc @@ -116,22 +116,12 @@ kubectl config set-context $(kubectl config current-context) --namespace=istio-s IMPORTANT: `istio-demo.yaml` enables policy enforcement by default which is required in some sections of the tutorial. Please refer to https://istio.io/docs/tasks/policy-enforcement/enabling-policy/ if you are not using this file. -If using OpenShift, secure contexts will need to be modified to allow ingress, egress, and Prometheus to run. +If using OpenShift, modify security contexts to ensure that all pods start properly. [.console-input] [source,bash,subs="attributes+,+macros"] --- -oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system^C -oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system -oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system +oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system --- Wait for Istio's components to be ready From 9df89099ea5334e63a5e5540fd065d62b635a39b Mon Sep 17 00:00:00 2001 From: David Freeman Date: Wed, 13 May 2020 05:48:55 -0700 Subject: [PATCH 4/4] Simplfied Moved note to a Minishift section next to Openshift. Minishift requires a separate note since the Openshift operator instructions are for OpenShift 4.x, and Minishift uses Openshift 3.x. --- documentation/modules/ROOT/pages/1setup.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/documentation/modules/ROOT/pages/1setup.adoc b/documentation/modules/ROOT/pages/1setup.adoc index 73bc8c9c..06e43231 100644 --- a/documentation/modules/ROOT/pages/1setup.adoc +++ b/documentation/modules/ROOT/pages/1setup.adoc @@ -157,6 +157,18 @@ Istio is supported in OpenShift by Red Hat OpenShift Service Mesh operator. To install it, you need to follow the instructions written in: https://docs.openshift.com/container-platform/4.3/service_mesh/service_mesh_install/preparing-ossm-installation.html +-- +Minishift:: ++ +--- +Modify security contexts to ensure that all pods start properly. + +[.console-input] +[source,bash,subs="attributes+,+macros"] +---- +oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system +---- + It is important that after you finish with the installation, all the required pods are deployed in `istio-system` namespace: [.console-input]