To run Kuma on OpenShift, you need to download a compatible version of Kuma for the machine from which you will be executing the commands.
You can run the following script to automatically detect the operating system and download Kuma:
$ curl -L https://kuma.io/installer.sh |sh -
1
You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access OpenShift:
Once downloaded, you will find the contents of Kuma in the kuma-0.5.0 folder. In this folder, you will find - among other files - the bin directory that stores the executables for Kuma, including the CLI client kumactl.
Note: On OpenShift - of all the Kuma binaries in the bin folder - we only need kumactl.
So we enter the bin folder by executing:
$ cd kuma-0.5.0/bin
1
We suggest adding the kumactl executable to your PATH so that it's always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/ by executing:
ln -s ./kumactl /usr/local/bin/kumactl
1
And we can then proceed to install Kuma on OpenShift with:
Starting from version 4.1 OpenShift utilizes nftables instead of iptables. So using init container for redirecting traffic to the proxy is no longer works. Instead, we use kuma-cni which could be installed with --cni-enabled flag.
By default MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11.
In order to make it work add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:
Kuma (kuma-cp) will be installed in the newly created kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc, the HTTP API, or the CLI:
Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on port 5683.
To access Kuma we need to first port-forward the GUI service with:
You can use the kumactl CLI to perform read-only operations on Kuma resources. The kumactl binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:
You will notice that Kuma automatically creates a Mesh entity with name default.
Kuma explicitly specifies UID for kuma-dp to avoid capturing traffic from kuma-dp itself. For that reason, special privilege has to be granted to application namespace: