You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access OpenShift:
<a href=”https://packages.konghq.com/public/kuma-legacy/raw/names/kuma-darwin-amd64/versions/{“edition”=>”kuma”, “version”=>”2.9.0”, “release”=>”2.9.x”, “latest”=>true, “releaseDate”=>”2024-10-22”, “endOfLifeDate”=>”2025-10-22”, “branch”=>”release-2.9”}/kuma-{“edition”=>”kuma”, “version”=>”2.9.0”, “release”=>”2.9.x”, “latest”=>true, “releaseDate”=>”2024-10-22”, “endOfLifeDate”=>”2025-10-22”, “branch”=>”release-2.9”}-darwin-amd64.tar.gz”>macOS</a> or run brew install kumactl
and extract the archive with:
tar xvzf kuma-*.tar.gz
2. Run Kuma
Once downloaded, you will find the contents of Kuma in the kuma-{"edition"=>"kuma", "version"=>"2.9.0", "release"=>"2.9.x", "latest"=>true, "releaseDate"=>"2024-10-22", "endOfLifeDate"=>"2025-10-22", "branch"=>"release-2.9"} folder. In this folder, you will find - among other files - the bin directory that stores the executables for Kuma, including the CLI client kumactl.
Note: On OpenShift - of all the Kuma binaries in the bin folder - we only need kumactl.
So we enter the bin folder by executing:
cd kuma-*/bin
We suggest adding the kumactl executable to your PATH so that it’s always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/ by executing:
ln-s$PWD/kumactl /usr/local/bin/kumactl
Finally we can install and run Kuma in either standalone or multi-zone mode:
Starting from version 4.1 OpenShift utilizes nftables instead of iptables. So using init container for redirecting traffic to the proxy is no longer works. Instead, we use kuma-cni which could be installed with --cni-enabled flag.
Standalone mode is perfect when running Kuma in a single cluster across one environment.
By default MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11.
In order to make it work add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:
After updating master-config.yaml restart the cluster and install control-plane:
./kumactl install control-plane | oc apply -f -
Multi-zone mode is perfect when running one deployment of Kuma that spans across multiple Kubernetes clusters, clouds and VM environments under the same Kuma deployment.
This mode also supports hybrid Kubernetes + VMs deployments.
It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:
oc get pod -n kuma-system
3. Use Kuma
Kuma (kuma-cp) will be installed in the newly created kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc, the HTTP API, or the CLI:
And then you can navigate to 127.0.0.1:5681 to see the HTTP API.
You can use the kumactl CLI to perform read-only operations on Kuma resources. The kumactl binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:
You will notice that Kuma automatically creates a Mesh entity with name default.
Kuma explicitly specifies UID for kuma-dp sidecar to avoid capturing traffic from kuma-dp itself. For that reason, nonrootSecurity Context Constraint has to be granted to the application namespace:
If namespace is not configured properly, we will see following error on the Deployment or DeploymentConfig
'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: [spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'
4. Quickstart
Congratulations! You have successfully installed Kuma on OpenShift 🚀.
