To install and run Kuma on OpenShift execute the following steps:
Finally, you can follow the Quickstart to take it from here and continue your Kuma journey.
1. Download Kuma
To run Kuma on Kubernetes, you need to download the Kuma cli (
kumactl) on your machine.
You can run the following script to automatically detect the operating system and download Kuma:
curl -L https://kuma.io/installer.sh | VERSION=2.0.2 sh -
You can omit the
VERSION variable to install the latest version.
Once downloaded, you will find the contents of Kuma in the
kuma-2.0.2 folder. In this folder, you will find - among other files - the
bin directory that stores the executables for Kuma, including the CLI client
Note: On Kubernetes - of all the Kuma binaries in the
bin folder - we only need
So we enter the
bin folder by executing:
We suggest adding the
kumactl executable to your
PATH (by executing:
PATH=$(pwd):$PATH) so that it’s always available in every working directory. Or - alternatively - you can also create link in
/usr/local/bin/ by executing:
ln -s $PWD/kuma-2.0.2/bin/kumactl /usr/local/bin/kumactl
2. Run Kuma
We can install and run Kuma:
./kumactl install control-plane --cni-enabled | oc apply -f -
Starting from version 4.1 OpenShift utilizes
nftables instead of
iptables. So using init container for redirecting traffic to the proxy no longer works. Instead, we use the
--cni-enabled flag to install the
This example will run Kuma in
standalone mode for a “flat” deployment, but there are more advanced deployment modes like “multi-zone”.
It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:
oc get pod -n kuma-system
3. Use Kuma
kuma-cp) will be installed in the newly created
kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI,
oc, the HTTP API, or the CLI:
Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on the API port and defaults to
To access Kuma we need to first port-forward the API service with:
oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681
And then navigate to
127.0.0.1:5681/gui to see the GUI.
You will notice that Kuma automatically creates a
Mesh entity with name
Kuma explicitly specifies UID for
kuma-dp sidecar to avoid capturing traffic from
kuma-dp itself. For that reason,
nonroot Security Context Constraint has to be granted to the application namespace:
oc adm policy add-scc-to-group nonroot system:serviceaccounts:<app-namespace>
If namespace is not configured properly, we will see following error on the
'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: [spec.containers.securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'
Congratulations! You have successfully installed Kuma on OpenShift 🚀.
In order to start using Kuma, it’s time to check out the quickstart guide for Kubernetes deployments.
Before running Kuma Demo in the Quickstart, remember to run the following command
oc adm policy add-scc-to-group anyuid system:serviceaccounts:kuma-demo
In case of Kuma Demo, one of the component requires root access therefore we use
anyuid instead of