Update doc for knative deploy on IBMCloudPrivate #660
Conversation
knative-prow-robot
added
size/L
|
Hi @zxDiscovery. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Copy from #618 |
install/Knative-with-ICP.md
Outdated
|
|
||
| Knative requires an [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster v3.1.1. See [Installing IBM Cloud Private Cloud Native, Enterprise, and Community editions]((https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html)) in the IBM Knowledge Center for install instructions. | ||
|
|
||
| ### Step 1: Install Docker for your boot node only |
There was a problem hiding this comment.
I think we do not need step 1 to step 5, just navigate this to IBM Cloud Private KC is good enough.
Also please navigate to IBM Cloud Private CE version, as EE version is not free.
There was a problem hiding this comment.
If pointing out to the IBM Cloud Private KC includes only the steps covered here in 1-5, then yes, I agree that simply linking to those steps is ok.
BUT, if the linked page contains a bunch of unnecessary steps or requirements, then its a poor user experience to link out to a separate set of instructions and therefore, its better to include steps 1-5 here.
There was a problem hiding this comment.
The IBM Cloud Private KC covered the install step, I Simplify the step and navigate the step to IBM Cloud Private KC.
|
@zxxa When you update a PR, if it is not a significant change, just use command |
knative-prow-robot
added
approved
size/XS
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
1af89f6 to
f029e28
Compare
install/Knative-with-ICP.md
Outdated
| ``` | ||
|
|
||
| Update spec.repositories by adding `gcr.io/knative-releases/*` | ||
| ``` |
install/Knative-with-ICP.md
Outdated
| ibm-restricted-psp false RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim | ||
| ``` | ||
|
|
||
| Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use ``ibm-privileged-psp``. |
There was a problem hiding this comment.
one "" is good enough for ibm-privileged-psp`
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
9da2fe0 to
2da508f
Compare
gyliu513
left a comment
gyliu513
left a comment
There was a problem hiding this comment.
lgtm, thanks @zxDiscovery
@samodell @RichieEscarez can you help if we can get this merged?
install/Knative-with-ICP.md
Outdated
| - use | ||
| EOF | ||
| ``` | ||
| The output resembles the following code: |
There was a problem hiding this comment.
| The output resembles the following code: | |
| You will see the following output: |
install/Knative-with-ICP.md
Outdated
| EOF | ||
| ``` | ||
|
|
||
| You can use the same mothed add the other knative namespaces to `ibm-privileged-psp` pod security policy. |
There was a problem hiding this comment.
| You can use the same mothed add the other knative namespaces to `ibm-privileged-psp` pod security policy. | |
| Use the same method to add the other Knative namespaces to the `ibm-privileged-psp` pod security policy. |
install/Knative-with-ICP.md
Outdated
|
|
||
| Follow the [instructions](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private) to install and run Istio in [IBM Cloud Private](https://www.ibm.com/cloud/private). | ||
|
|
||
| ## Installing Knative Serving |
There was a problem hiding this comment.
Is there a reason not to include instructions for installing the other Knative components here? the IKS guide covers instructions for Serving and Build, and ideally we'd like to keep the guides as similar as possible.
https://github.com/knative/docs/blob/master/install/Knative-with-IKS.md
install/Knative-with-ICP.md
Outdated
| ``` | ||
|
|
||
| If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the knative image. | ||
| Using the following commend get the image security policy. |
There was a problem hiding this comment.
| Using the following commend get the image security policy. | |
| Enter the following command to view the current image security policy: |
install/Knative-with-ICP.md
Outdated
| | kubectl apply --filename - | ||
| ``` | ||
|
|
||
| If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the knative image. |
There was a problem hiding this comment.
Lines 40 and 41 don't make sense as written -- should this say "If the image-security-enforcement wasn't enabled when you installed..."? Or are you saying that, even if it was already enabled, you need to update it further? Can you clarify?
install/Knative-with-ICP.md
Outdated
| clusterrole "knative-role" created | ||
| ``` | ||
|
|
||
| Set up cluster role binding for the service account in knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. |
There was a problem hiding this comment.
| Set up cluster role binding for the service account in knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. | |
| Set up cluster role binding for the service account in knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. |
| Set up cluster role binding for the service account in knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. | |
| Set up cluster role binding for the service account in Knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. |
install/Knative-with-ICP.md
Outdated
| | kubectl apply --filename - | ||
| ``` | ||
|
|
||
| If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the knative image. |
There was a problem hiding this comment.
| If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the knative image. | |
| If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the Knative image. |
install/Knative-with-ICP.md
Outdated
|
|
||
| Knative requires an [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster v3.1.1. See [Installing IBM Cloud Private Cloud Native, Enterprise, and Community editions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html) in the IBM Knowledge Center for install instructions. | ||
|
|
||
| 1: [Install Docker for your boot node only](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html#prep_boot) |
There was a problem hiding this comment.
Change to typical ordered list format 1: --> 1.
install/Knative-with-ICP.md
Outdated
| If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the knative image. | ||
| Using the following commend get the image security policy. | ||
| ``` | ||
| kubectl get clusterimagepolicies |
There was a problem hiding this comment.
Add a space or other separation between the command and print out (it's hard to see the difference). Same as below.
install/Knative-with-ICP.md
Outdated
| kubectl edit clusterimagepolicies ibmcloud-default-cluster-image-policy | ||
| ``` | ||
|
|
||
| Update spec.repositories by adding "gcr.io/knative-releases/*" |
There was a problem hiding this comment.
| Update spec.repositories by adding "gcr.io/knative-releases/*" | |
| Update `spec.repositories` by adding `"gcr.io/knative-releases/*"` |
install/Knative-with-ICP.md
Outdated
|
|
||
| ## Installing Knative Serving | ||
|
|
||
| Next, install [Knative Serving](https://github.com/knative/serving): |
There was a problem hiding this comment.
Can you number these steps or add additional formatting so it's easier to follow?
install/Knative-with-ICP.md
Outdated
| - name: "gcr.io/knative-releases/*" | ||
| ``` | ||
|
|
||
| Put the namespaces `knative-serving`, `knative-build`, `knative-monitoring` and `knative-eventing` into pod security policy `ibm-privileged-psp` as follows. |
There was a problem hiding this comment.
How/What are you putting? How does this relate to the command below?
install/Knative-with-ICP.md
Outdated
| ``` | ||
|
|
||
| Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use `ibm-privileged-psp`. | ||
| Create a YAML file for the cluster role. |
There was a problem hiding this comment.
Add a space between this line and line above.
| Create a YAML file for the cluster role. | |
| Create a YAML file for the cluster role with the following command: |
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
3 times, most recently
from
3d6efc1 to
521fe46
Compare
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
85ba53b to
cbd4eef
Compare
samodell
left a comment
samodell
left a comment
There was a problem hiding this comment.
A few last suggestions. Thanks for all the work on this!
install/Knative-with-ICP.md
Outdated
|
|
||
| Now you can deploy an app to your newly created Knative cluster. | ||
|
|
||
| ### Installing Knative Build only |
There was a problem hiding this comment.
Since this is an option to install Build alone, this should go right after the section on "Installing Knative Serving and Build components," so right at line 43.
install/Knative-with-ICP.md
Outdated
| | kubectl apply --filename - | ||
| ``` | ||
|
|
||
| You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. |
There was a problem hiding this comment.
I would add a descriptive heading for these steps around the image security policy, to group all these commands together.
install/Knative-with-ICP.md
Outdated
| | kubectl apply --filename - | ||
| ``` | ||
|
|
||
| You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. |
There was a problem hiding this comment.
| You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. | |
| You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) to allow the cluster to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. |
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
cbd4eef to
7bb99f2
Compare
samodell
removed
the
needs-ok-to-test
|
@RichieEscarez for the final stamp of approval later this week. |
RichieEscarez
left a comment
RichieEscarez
left a comment
There was a problem hiding this comment.
A bunch of editorial suggestions and a general IA question for @samodell (now that that custom install instructions have been merged). Thanks @zxDiscovery !
install/Knative-with-ICP.md
Outdated
| # Knative Install on IBM Cloud Private | ||
|
|
||
| This guide walks you through the installation of the latest version of | ||
| [Knative Serving](https://github.com/knative/serving) using pre-built images and |
There was a problem hiding this comment.
since the install package is release-lite.yaml, its not just Serving, you get Build too
install/Knative-with-ICP.md
Outdated
| This guide walks you through the installation of the latest version of | ||
| [Knative Serving](https://github.com/knative/serving) using pre-built images and | ||
| demonstrates creating and deploying an image of a sample `hello world` app onto | ||
| the newly created Knative cluster. |
There was a problem hiding this comment.
| the newly created Knative cluster. | |
| the newly created Knative cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private). |
See comment below.
install/Knative-with-ICP.md
Outdated
|
|
||
| ## Installing Istio | ||
|
|
||
| Follow the [instructions](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private) to install and run Istio in [IBM Cloud Private](https://www.ibm.com/cloud/private). |
There was a problem hiding this comment.
Two separate links don't make it clear that you want the user to navigate away (and to which link). Lets make the whole sentence a link:
| Follow the [instructions](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private) to install and run Istio in [IBM Cloud Private](https://www.ibm.com/cloud/private). | |
| [Follow the instructions to install and run Istio in IBM Cloud Private](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private). |
install/Knative-with-ICP.md
Outdated
|
|
||
| ## Before you begin | ||
|
|
||
| Knative requires an [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster v3.1.1. See [Installing IBM Cloud Private Cloud Native, Enterprise, and Community editions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html) in the IBM Knowledge Center for install instructions. |
There was a problem hiding this comment.
It looks like all the steps in the KC topic should be taken?
If that is true, lets clarify/state that, and also provide only a single link because right now with the 6 separate links, we are asking the user to switch back and forth between the same page multiple times.
I think you could also leave in the list but remove the links.
There was a problem hiding this comment.
@RichieEscarez Yes, all the steps in the KC topic should be taken. I wrote all the steps in the the previous review versions. But it seems a little redundant. So I simplify it.
I think I just keep the KC topic link here and remove the six separate links. User follow the step from KC link to install the IBM Cloud Private.
There was a problem hiding this comment.
Sounds good, please revise to:
| Knative requires an [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster v3.1.1. See [Installing IBM Cloud Private Cloud Native, Enterprise, and Community editions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html) in the IBM Knowledge Center for install instructions. | |
| Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster. | |
| Before you can install Knative, you must first complete all the steps that are provided in the | |
| [IBM Cloud Private standard cluster installation instructions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html). |
install/Knative-with-ICP.md
Outdated
|
|
||
| 1. Check the pod security policy in [IBM Cloud Private](https://www.ibm.com/cloud/private). | ||
| ``` | ||
| kubectl get psp |
There was a problem hiding this comment.
Global comment:
Please indent all these code blocks to nest them under the steps
| kubectl get psp | |
| kubectl get psp |
install/Knative-with-ICP.md
Outdated
| EOF | ||
| ``` | ||
|
|
||
| Use the same method to add the other Knative namespaces to the `ibm-privileged-psp` pod security policy. |
There was a problem hiding this comment.
This looks like a separate step.
Also can we list what the "other Knative namespaces" are that need to be added?
| Use the same method to add the other Knative namespaces to the `ibm-privileged-psp` pod security policy. | |
| 4. Use the same method to add the other Knative namespaces to the `ibm-privileged-psp` pod security policy. |
install/Knative-with-ICP.md
Outdated
|
|
||
| Use the same method to add the other Knative namespaces to the `ibm-privileged-psp` pod security policy. | ||
|
|
||
| Monitor the Knative components until all of the components show a `STATUS` of |
There was a problem hiding this comment.
| Monitor the Knative components until all of the components show a `STATUS` of | |
| 5. Ensure that the installation was successful by running the following commands until both of the Knative components show a `STATUS` of |
install/Knative-with-ICP.md
Outdated
| kubectl get pods --namespace knative-build | ||
| ``` | ||
|
|
||
| Just as with the Istio components, it will take a few seconds for the Knative |
There was a problem hiding this comment.
The Istio install instructions that are used are the IBM steps and I dont think it refers to the delay.
| Just as with the Istio components, it will take a few seconds for the Knative | |
| It might take a few seconds for the Knative |
install/Knative-with-ICP.md
Outdated
| If you'd like to view the available sample apps and deploy one of your choosing, | ||
| head to the [sample apps](../serving/samples/README.md) repo. | ||
|
|
||
| > Note: When looking up the IP address to use for accessing your app, you need to look up |
There was a problem hiding this comment.
The markdown note and codeblock are disconnected here. Maybe just use bold?
| > Note: When looking up the IP address to use for accessing your app, you need to look up | |
| *Note*: When looking up the IP address to use for accessing your app, you need to look up |
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
4 times, most recently
from
0e59411 to
9e9e84b
Compare
install/Knative-with-ICP.md
Outdated
| 1. Enter the following command to view the current image security policy: | ||
| ``` | ||
| kubectl get clusterimagepolicies | ||
|
|
install/Knative-with-ICP.md
Outdated
| 1. Check the pod security policy in [IBM Cloud Private](https://www.ibm.com/cloud/private). | ||
| ``` | ||
| kubectl get psp | ||
|
|
install/Knative-with-ICP.md
Outdated
|
|
||
| Delete the cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private): | ||
|
|
||
| ```shell |
There was a problem hiding this comment.
How about adding shell for other curl command?
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
9e9e84b to
a6c8777
Compare
|
@samodell @RichieEscarez @averikitsch do you think this is ready to merge? |
still an open item, please see comment above |
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
a6c8777 to
211f1ed
Compare
RichieEscarez
left a comment
RichieEscarez
left a comment
There was a problem hiding this comment.
I committed a couple small corrections and added some technical questions/comments that require action.
install/Knative-with-ICP.md
Outdated
| ``` | ||
|
|
||
| ### Update the image security policy | ||
| You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) to allow the cluster to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. |
There was a problem hiding this comment.
This says "at the time of installation" & "to pull the Knative image", both of which make it sound like this security policy needs to be created before you run the "kubctl apply" commands to install Knative.
Does the whole "Update the image security policy" section need to move up before the "Installing Knative components" steps?
There was a problem hiding this comment.
Yes, you are right. The section Update the image security policy and Update pod security policy are all need to move up before the "Installing Knative components" steps. I put this two section after "install IBM Cloud Private"
install/Knative-with-ICP.md
Outdated
| ``` | ||
|
|
||
| ### Update pod security policy | ||
| Configure the namespaces `knative-serving`, `knative-build`, `knative-monitoring` and `knative-eventing` into pod security policy `ibm-privileged-psp`. The step as follows: |
There was a problem hiding this comment.
We have only provided steps to install Serving and Build, not Eventing nor Monitoring. This will be confusing to someone new and they might think they actually get those features too.
They should be removed or otherwise, it should be clarified that those policies are optional for if you choose to install them at a later time.
That said, are there issues/vulnerabilities with setting unnecessary security policies?
There was a problem hiding this comment.
The yaml release-lite.yaml include the namespace knative-monitoring, so I keep knative-monitoring and remove the namespace knative-eventing . And I put this section before install knative.
The security policies here is necessary. Knative pod can't run normally if the we don't set the security policies.
install/Knative-with-ICP.md
Outdated
| Delete the cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private): | ||
|
|
||
| ```shell | ||
| curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ |
There was a problem hiding this comment.
The options for serving.yaml and build.yaml are provided above and are not mentioned here. If users decided to follow one of the alternatives, this command will fail.
zxDiscovery
force-pushed
the
IBMCloudPrivate_doc
branch
from
ebe20bf to
2f799ae
Compare
Redo the overwritten commit, clarify security policy steps, fix indentation errors
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: averikitsch, RichieEscarez, samodell, zxDiscovery The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Finally, thanks @samodell @RichieEscarez @averikitsch @zxDiscovery |
6 participants
Fixes #557
Proposed Changes