From f029e289df06ee39b63d0d655242d2943cfcafd0 Mon Sep 17 00:00:00 2001 From: zxxa Date: Thu, 13 Dec 2018 17:04:25 +0800 Subject: [PATCH 1/4] Update doc for knative deploy on IBMCloudPrivate --- install/Knative-with-ICP.md | 282 ++++++++++++++++++++++++++++++++++++ install/README.md | 1 + 2 files changed, 283 insertions(+) create mode 100644 install/Knative-with-ICP.md diff --git a/install/Knative-with-ICP.md b/install/Knative-with-ICP.md new file mode 100644 index 00000000000..cea5387d030 --- /dev/null +++ b/install/Knative-with-ICP.md @@ -0,0 +1,282 @@ +# Knative Install on IBM Cloud Private + +This guide walks you through the installation of the latest version of +[Knative Serving](https://github.com/knative/serving) using pre-built images and +demonstrates creating and deploying an image of a sample `hello world` app onto +the newly created Knative cluster. + +You can find [guides for other platforms here](README.md). + +## Before you begin + +Knative requires an [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster v3.1.1. See [Installing IBM Cloud Private Cloud Native, Enterprise, and Community editions]((https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html)) in the IBM Knowledge Center for install instructions. + +### Step 1: Install Docker for your boot node only + +The boot node is the node that is used for installation of your cluster. The boot node is usually your master node. For more information about the [boot node](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/getting_started/architecture.html#boot), see Boot node. You need a version of Docker that is supported by IBM Cloud Private installed on your boot node. See [Supported Docker versions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/supported_system_config/supported_docker.html). To install Docker, see [Manually installing Docker](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_docker.html#manual). + +### Step 2: Set up the installation environment + +1. Log in to the boot node as a user with root permissions. + +2. Obtain the installation file or image: + + For IBM Cloud Private only: Download the installation files for IBM Cloud Private. You must download the correct file or files for the type of nodes in your cluster. You can obtain these files from the [IBM Passport Advantage®](https://www.ibm.com/software/passportadvantage/) Opens in a new tab website. + + For a Linux® 64-bit cluster, download the ibm-cloud-private-x86_64-3.1.1.tar.gz file. + For a Linux® on Power® (ppc64le) cluster, download the ibm-cloud-private-ppc64le-3.1.1.tar.gz file. + For a cluster that uses IBM® Z worker and proxy nodes, download the ibm-cloud-private-s390x-3.1.1.tar.gz file. + +3. For IBM Cloud Private only: Extract the images and load them into Docker. Extracting the images might take a few minutes. + For Linux® 64-bit, run this command: + ``` + tar xf ibm-cloud-private-x86_64-3.1.1.tar.gz -O | sudo docker load + ``` + For Linux® on Power® (ppc64le), run this command: + ``` + tar xf ibm-cloud-private-ppc64le-3.1.1.tar.gz -O | sudo docker load + ``` + +4. Create an installation directory to store the IBM Cloud Private configuration files in and change to that directory. For example, to store the configuration files in /opt/ibm-cloud-private-3.1.1, run the following commands: + ``` + sudo mkdir /opt/ibm-cloud-private-3.1.1; + cd /opt/ibm-cloud-private-3.1.1 + ``` + +5. Extract the configuration files from the installer image. + + For IBM Cloud Private-CE: + + sudo docker run -e LICENSE=accept \ + -v "$(pwd)":/data ibmcom/icp-inception:3.1.1 cp -r cluster /data + + +6. (Optional) You can view the license file for IBM Cloud Private. + + For IBM Cloud Private-CE: + + sudo docker run -e LICENSE=view -e LANG=$LANG ibmcom/icp-inception:3.1.1 + + Where $LANG is a supported language format. + +7. Create a secure connection from the boot node to all other nodes in your cluster. Complete one of the following processes: + Set up SSH in your cluster. See [Sharing SSH keys among cluster nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/ssh_keys.html). + Set up password authentication in your cluster. See [Configuring password authentication for cluster nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/password_auth.html). + +8. Add the IP address of each node in the cluster to the //cluster/hosts file. See [Setting the node roles in the hosts file](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/hosts.html). You can also define customized host groups, see [Defining custom host groups](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/hosts.html#hostgroup). + +9. If you use SSH keys to secure your cluster, in the //cluster folder, replace the ssh_key file with the private key file that is used to communicate with the other cluster nodes. See [Sharing SSH keys among cluster nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/ssh_keys.html). Run this command: + + ``` + sudo cp ~/.ssh/id_rsa ./cluster/ssh_key + ``` + + In this example, ~/.ssh/id_rsa is the location and name of the private key file. + +10. For IBM Cloud Private only: Move the image files for your cluster to the //cluster/images folder. + + Create an images directory: + ``` + mkdir -p cluster/images; + ``` + If your cluster contains the x86_64 node, place the x86 package in the images directory: + ``` + sudo mv //ibm-cloud-private-x86_64-3.1.1.tar.gz cluster/images/ + ``` + If your cluster contains the ppc64le node, place the ppc64le package in the images directory: + ``` + sudo mv //ibm-cloud-private-ppc64le-3.1.1.tar.gz cluster/images/ + ``` + If your cluster contains the s390x node, place the s390x package in the images directory: + ``` + sudo mv //ibm-cloud-private-s390x-3.1.1.tar.gz cluster/images/ + ``` + + In these command, path_to_installation_file is the path to the images file. + +### Step 3: Customize your cluster + +1. Set up resource limits for proxy nodes. See [Configuring process resource limit on proxy nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/proxy_resource.html). + +2. You can also set a variety of optional cluster customizations that are available in the //cluster/config.yaml file. See [Customizing the cluster with the config.yaml file](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/config_yaml.html). For additional customizations, you can also review [Customizing your installation](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/custom_install.html). + +3. In an environment that has multiple network interfaces (NICs), such as OpenStack and AWS, you must add the following code to the config.yaml file: + + For IBM Cloud Private: + + ``` + cluster_lb_address: + proxy_lb_address: + ``` + +### Step 4: Set up Docker for your cluster nodes + +Cluster nodes are the master, worker, proxy, and management nodes. See, [Architecture](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/getting_started/architecture.html). You need a version of Docker that is supported by IBM Cloud Private installed on your cluster node. See [Supported Docker versions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/supported_system_config/supported_docker.html). If you do not have supported version of Docker installed on your cluster nodes, IBM Cloud Private can automatically install Docker on your cluster nodes during the installation. To prepare your cluster nodes for automatic installation of Docker, see [Configuring cluster nodes for automatic Docker installation](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/docker_cluster.html). + +### Step 5: Deploy the environment + +1. Change to the cluster folder in your installation directory. + ``` + cd ./cluster + ``` + +2. Deploy your environment. Depending on your options, you might need to add more parameters to the deployment command. + + For IBM Cloud Private only: If you had specified the offline_pkg_copy_path parameter in the config.yaml file. In the deployment command, add the -e ANSIBLE_REMOTE_TEMP= option, where is the value of the offline_pkg_copy_path parameter that you set in the config.yaml file. + + By default, the command to deploy your environment is set to deploy 15 nodes at a time. If your cluster has more than 15 nodes, the deployment might take a longer time to finish. If you want to speed up the deployment, you can specify a higher number of nodes to be deployed at a time. Use the argument -f \ with the command. + + To deploy your environment: + + For IBM Cloud Private-CE:: + + ``` + sudo docker run --net=host -t -e LICENSE=accept \ + -v "$(pwd)":/installer/cluster ibmcom/icp-inception:3.1.1 install + ``` + +## Installing Istio + +Follow the [instructions](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private) to install and run Istio in [IBM Cloud Private](https://www.ibm.com/cloud/private). + +## Installing Knative Serving + +Next, install [Knative Serving](https://github.com/knative/serving): + +``` +curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` + +If the `image-security-enforcement` enabled when you install [IBM Cloud Private](https://www.ibm.com/cloud/private). You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) allow to pull the knative image. +Using the following commend get the image security policy. +``` +kubectl get clusterimagepolicies +NAME AGE +ibmcloud-default-cluster-image-policy 27m +``` + +Then edit the image security policy. +``` +kubectl edit clusterimagepolicies ibmcloud-default-cluster-image-policy +``` + +Update spec.repositories by adding `gcr.io/knative-releases/*` +``` +spec: + repositories: + - name: "gcr.io/knative-releases/*" +``` + +Put the namespaces `knative-serving`, `knative-build`, `knative-monitoring` and `knative-eventing` into pod security policy `ibm-privileged-psp` as follows. + +The pod security policy in [IBM Cloud Private](https://www.ibm.com/cloud/private) as follows: +``` +kubectl get psp +NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES +ibm-anyuid-hostaccess-psp false SETPCAP,AUDIT_WRITE,CHOWN,NET_RAW,DAC_OVERRIDE,FOWNER,FSETID,KILL,SETUID,SETGID,NET_BIND_SERVICE,SYS_CHROOT,SETFCAP RunAsAny RunAsAny RunAsAny RunAsAny false * +ibm-anyuid-hostpath-psp false SETPCAP,AUDIT_WRITE,CHOWN,NET_RAW,DAC_OVERRIDE,FOWNER,FSETID,KILL,SETUID,SETGID,NET_BIND_SERVICE,SYS_CHROOT,SETFCAP RunAsAny RunAsAny RunAsAny RunAsAny false * +ibm-anyuid-psp false SETPCAP,AUDIT_WRITE,CHOWN,NET_RAW,DAC_OVERRIDE,FOWNER,FSETID,KILL,SETUID,SETGID,NET_BIND_SERVICE,SYS_CHROOT,SETFCAP RunAsAny RunAsAny RunAsAny RunAsAny false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim +ibm-privileged-psp true * RunAsAny RunAsAny RunAsAny RunAsAny false * +ibm-restricted-psp false RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim +``` + +Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use ``ibm-privileged-psp``. +Create a YAML file for the cluster role. +```shell +cat < Note: Instead of rerunning the command, you can add `--watch` to the above + command to view the component's status updates in real time. Use CTRL+C to exit watch mode. + +Now you can deploy an app to your newly created Knative cluster. + +## Deploying an app + +Now that your cluster has Knative installed, you're ready to deploy an app. + +If you'd like to follow a step-by-step guide for deploying your first app on +Knative, check out the +[Getting Started with Knative App Deployment](getting-started-knative-app.md) +guide. + +If you'd like to view the available sample apps and deploy one of your choosing, +head to the [sample apps](../serving/samples/README.md) repo. + +> Note: When looking up the IP address to use for accessing your app, you need to look up + the NodePort for the `knative-ingressgateway` as well as the IP address used for ICP. + You can use the following command to look up the value to use for the {IP_ADDRESS} placeholder + used in the samples: + ```shell + echo $(ICP cluster ip):$(kubectl get svc knative-ingressgateway --namespace istio-system \ + --output 'jsonpath={.spec.ports[?(@.port==80)].nodePort}') + ``` + +## Cleaning up + +Delete the cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private): + +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl delete --filename - +``` + +--- + +Except as otherwise noted, the content of this page is licensed under the +[Creative Commons Attribution 4.0 License](https://creativecommons.org/licenses/by/4.0/), +and code samples are licensed under the +[Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0). diff --git a/install/README.md b/install/README.md index fcef60a4e84..810acb37049 100644 --- a/install/README.md +++ b/install/README.md @@ -26,6 +26,7 @@ Knative components on the following platforms: - [Knative Install on Gardener](Knative-with-Gardener.md) - [Knative Install on Google Kubernetes Engine](Knative-with-GKE.md) - [Knative Install on IBM Cloud Kubernetes Service](Knative-with-IKS.md) +- [Knative Install on IBM Cloud Private](Knative-with-ICP.md) - [Knative Install on Minikube](Knative-with-Minikube.md) - [Knative Install on OpenShift](Knative-with-OpenShift.md) - [Knative Install on Minishift](Knative-with-Minishift.md) From 211f1ed25d0379a843f6df3af79879d63f75d534 Mon Sep 17 00:00:00 2001 From: xu zhao Date: Wed, 19 Dec 2018 10:18:28 +0800 Subject: [PATCH 2/4] Simplify IBMCloudPrivate Installation Steps --- install/Knative-with-ICP.md | 287 +++++++++++------------------------- 1 file changed, 89 insertions(+), 198 deletions(-) diff --git a/install/Knative-with-ICP.md b/install/Knative-with-ICP.md index cea5387d030..9a0d3b2fa41 100644 --- a/install/Knative-with-ICP.md +++ b/install/Knative-with-ICP.md @@ -1,245 +1,136 @@ # Knative Install on IBM Cloud Private This guide walks you through the installation of the latest version of -[Knative Serving](https://github.com/knative/serving) using pre-built images and +[Knative Serving](https://github.com/knative/serving) and [Knative Build](https://github.com/knative/build) using pre-built images and demonstrates creating and deploying an image of a sample `hello world` app onto -the newly created Knative cluster. +the newly created Knative cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private). You can find [guides for other platforms here](README.md). ## Before you begin -Knative requires an [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster v3.1.1. See [Installing IBM Cloud Private Cloud Native, Enterprise, and Community editions]((https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html)) in the IBM Knowledge Center for install instructions. +Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster. Before you can install Knative, you must first complete all the steps that are provided in the [IBM Cloud Private standard cluster installation instructions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html). -### Step 1: Install Docker for your boot node only +1. Install Docker for your boot node only -The boot node is the node that is used for installation of your cluster. The boot node is usually your master node. For more information about the [boot node](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/getting_started/architecture.html#boot), see Boot node. You need a version of Docker that is supported by IBM Cloud Private installed on your boot node. See [Supported Docker versions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/supported_system_config/supported_docker.html). To install Docker, see [Manually installing Docker](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_docker.html#manual). +2. Set up the installation environment -### Step 2: Set up the installation environment +3. Customize your cluster -1. Log in to the boot node as a user with root permissions. +4. Set up Docker for your cluster nodes -2. Obtain the installation file or image: +5. Deploy the environment - For IBM Cloud Private only: Download the installation files for IBM Cloud Private. You must download the correct file or files for the type of nodes in your cluster. You can obtain these files from the [IBM Passport Advantage®](https://www.ibm.com/software/passportadvantage/) Opens in a new tab website. +6. Verify the status of your installation - For a Linux® 64-bit cluster, download the ibm-cloud-private-x86_64-3.1.1.tar.gz file. - For a Linux® on Power® (ppc64le) cluster, download the ibm-cloud-private-ppc64le-3.1.1.tar.gz file. - For a cluster that uses IBM® Z worker and proxy nodes, download the ibm-cloud-private-s390x-3.1.1.tar.gz file. - -3. For IBM Cloud Private only: Extract the images and load them into Docker. Extracting the images might take a few minutes. - For Linux® 64-bit, run this command: - ``` - tar xf ibm-cloud-private-x86_64-3.1.1.tar.gz -O | sudo docker load - ``` - For Linux® on Power® (ppc64le), run this command: - ``` - tar xf ibm-cloud-private-ppc64le-3.1.1.tar.gz -O | sudo docker load - ``` +## Installing Istio -4. Create an installation directory to store the IBM Cloud Private configuration files in and change to that directory. For example, to store the configuration files in /opt/ibm-cloud-private-3.1.1, run the following commands: - ``` - sudo mkdir /opt/ibm-cloud-private-3.1.1; - cd /opt/ibm-cloud-private-3.1.1 - ``` +[Follow the instructions to install and run Istio in IBM Cloud Private](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private). -5. Extract the configuration files from the installer image. +## Installing Knative components - For IBM Cloud Private-CE: +You can install the Knative Serving and Build components together, or individually. - sudo docker run -e LICENSE=accept \ - -v "$(pwd)":/data ibmcom/icp-inception:3.1.1 cp -r cluster /data - +### Installing Knative Serving and Build components -6. (Optional) You can view the license file for IBM Cloud Private. +Run the following command to deploy [Knative Serving](https://github.com/knative/serving) and [Knative Build](https://github.com/knative/build) - For IBM Cloud Private-CE: +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` - sudo docker run -e LICENSE=view -e LANG=$LANG ibmcom/icp-inception:3.1.1 +### Installing Knative Serving only - Where $LANG is a supported language format. +Replace `release-lite.yaml` to `serving.yaml` file, the other steps are all the same as above. -7. Create a secure connection from the boot node to all other nodes in your cluster. Complete one of the following processes: - Set up SSH in your cluster. See [Sharing SSH keys among cluster nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/ssh_keys.html). - Set up password authentication in your cluster. See [Configuring password authentication for cluster nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/password_auth.html). +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/serving.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` -8. Add the IP address of each node in the cluster to the //cluster/hosts file. See [Setting the node roles in the hosts file](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/hosts.html). You can also define customized host groups, see [Defining custom host groups](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/hosts.html#hostgroup). +### Installing Knative Build only -9. If you use SSH keys to secure your cluster, in the //cluster folder, replace the ssh_key file with the private key file that is used to communicate with the other cluster nodes. See [Sharing SSH keys among cluster nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/ssh_keys.html). Run this command: +Replace `release-lite.yaml` to `build.yaml` file, the other steps are all the same as above. - ``` - sudo cp ~/.ssh/id_rsa ./cluster/ssh_key - ``` - - In this example, ~/.ssh/id_rsa is the location and name of the private key file. +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/build.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` -10. For IBM Cloud Private only: Move the image files for your cluster to the //cluster/images folder. +### Update the image security policy +You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) to allow the cluster to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. - Create an images directory: - ``` - mkdir -p cluster/images; - ``` - If your cluster contains the x86_64 node, place the x86 package in the images directory: - ``` - sudo mv //ibm-cloud-private-x86_64-3.1.1.tar.gz cluster/images/ +1. Edit the image security policy. ``` - If your cluster contains the ppc64le node, place the ppc64le package in the images directory: + kubectl edit clusterimagepolicies ibmcloud-default-cluster-image-policy ``` - sudo mv //ibm-cloud-private-ppc64le-3.1.1.tar.gz cluster/images/ - ``` - If your cluster contains the s390x node, place the s390x package in the images directory: - ``` - sudo mv //ibm-cloud-private-s390x-3.1.1.tar.gz cluster/images/ - ``` - - In these command, path_to_installation_file is the path to the images file. - -### Step 3: Customize your cluster - -1. Set up resource limits for proxy nodes. See [Configuring process resource limit on proxy nodes](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/proxy_resource.html). - -2. You can also set a variety of optional cluster customizations that are available in the //cluster/config.yaml file. See [Customizing the cluster with the config.yaml file](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/config_yaml.html). For additional customizations, you can also review [Customizing your installation](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/custom_install.html). - -3. In an environment that has multiple network interfaces (NICs), such as OpenStack and AWS, you must add the following code to the config.yaml file: - - For IBM Cloud Private: +2. Update `spec.repositories` by adding `"gcr.io/knative-releases/*"` + ```yaml + spec: + repositories: + - name: "gcr.io/knative-releases/*" ``` - cluster_lb_address: - proxy_lb_address: - ``` - -### Step 4: Set up Docker for your cluster nodes -Cluster nodes are the master, worker, proxy, and management nodes. See, [Architecture](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/getting_started/architecture.html). You need a version of Docker that is supported by IBM Cloud Private installed on your cluster node. See [Supported Docker versions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/supported_system_config/supported_docker.html). If you do not have supported version of Docker installed on your cluster nodes, IBM Cloud Private can automatically install Docker on your cluster nodes during the installation. To prepare your cluster nodes for automatic installation of Docker, see [Configuring cluster nodes for automatic Docker installation](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/docker_cluster.html). +### Update pod security policy +Configure the namespaces `knative-serving`, `knative-build`, `knative-monitoring` and `knative-eventing` into pod security policy `ibm-privileged-psp`. The step as follows: -### Step 5: Deploy the environment - -1. Change to the cluster folder in your installation directory. - ``` - cd ./cluster +1. Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use `ibm-privileged-psp`. Run the following command: + ```shell + cat < option, where is the value of the offline_pkg_copy_path parameter that you set in the config.yaml file. - - By default, the command to deploy your environment is set to deploy 15 nodes at a time. If your cluster has more than 15 nodes, the deployment might take a longer time to finish. If you want to speed up the deployment, you can specify a higher number of nodes to be deployed at a time. Use the argument -f \ with the command. +2. Set up cluster role binding for the service account in Knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. + ```shell + cat < Note: Instead of rerunning the command, you can add `--watch` to the above - command to view the component's status updates in real time. Use CTRL+C to exit watch mode. + > Note: Instead of rerunning the command, you can add `--watch` to the above + command to view the component's status updates in real time. Use CTRL+C to exit watch mode. Now you can deploy an app to your newly created Knative cluster. @@ -255,7 +146,7 @@ guide. If you'd like to view the available sample apps and deploy one of your choosing, head to the [sample apps](../serving/samples/README.md) repo. -> Note: When looking up the IP address to use for accessing your app, you need to look up +*Note*: When looking up the IP address to use for accessing your app, you need to look up the NodePort for the `knative-ingressgateway` as well as the IP address used for ICP. You can use the following command to look up the value to use for the {IP_ADDRESS} placeholder used in the samples: From 2f799ae1370ef6ee56afb5c6b7e4394031bcaadd Mon Sep 17 00:00:00 2001 From: xu zhao Date: Mon, 7 Jan 2019 10:52:02 +0800 Subject: [PATCH 3/4] Change configuration order --- install/Knative-with-ICP.md | 98 ++++++++++++++++++++++--------------- 1 file changed, 58 insertions(+), 40 deletions(-) diff --git a/install/Knative-with-ICP.md b/install/Knative-with-ICP.md index 9a0d3b2fa41..d2eb7bd1aa8 100644 --- a/install/Knative-with-ICP.md +++ b/install/Knative-with-ICP.md @@ -9,6 +9,8 @@ You can find [guides for other platforms here](README.md). ## Before you begin +### Install IBM Cloud Private + Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster. Before you can install Knative, you must first complete all the steps that are provided in the [IBM Cloud Private standard cluster installation instructions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html). 1. Install Docker for your boot node only @@ -23,43 +25,6 @@ Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud 6. Verify the status of your installation -## Installing Istio - -[Follow the instructions to install and run Istio in IBM Cloud Private](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private). - -## Installing Knative components - -You can install the Knative Serving and Build components together, or individually. - -### Installing Knative Serving and Build components - -Run the following command to deploy [Knative Serving](https://github.com/knative/serving) and [Knative Build](https://github.com/knative/build) - -```shell -curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl apply --filename - -``` - -### Installing Knative Serving only - -Replace `release-lite.yaml` to `serving.yaml` file, the other steps are all the same as above. - -```shell -curl -L https://github.com/knative/serving/releases/download/v0.2.2/serving.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl apply --filename - -``` - -### Installing Knative Build only - -Replace `release-lite.yaml` to `build.yaml` file, the other steps are all the same as above. - -```shell -curl -L https://github.com/knative/serving/releases/download/v0.2.2/build.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl apply --filename - -``` ### Update the image security policy You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) to allow the cluster to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. @@ -77,7 +42,7 @@ You need to update the [image security policy](https://www.ibm.com/support/knowl ``` ### Update pod security policy -Configure the namespaces `knative-serving`, `knative-build`, `knative-monitoring` and `knative-eventing` into pod security policy `ibm-privileged-psp`. The step as follows: +Configure the namespaces `knative-serving` into pod security policy `ibm-privileged-psp`. The step as follows: 1. Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use `ibm-privileged-psp`. Run the following command: ```shell @@ -118,9 +83,47 @@ Configure the namespaces `knative-serving`, `knative-build`, `knative-monitoring EOF ``` -3. Use the same method to add `knative-build` and `knative-eventing` namespaces to the `ibm-privileged-psp` pod security policy. +3. If you have the `knative-build` and `knative-monitoring` namespaces, use the same method to add the namespaces to the `ibm-privileged-psp` pod security policy. + +## Installing Istio + +[Follow the instructions to install and run Istio in IBM Cloud Private](https://istio.io/docs/setup/kubernetes/quick-start-ibm/#ibm-cloud-private). + +## Installing Knative components + +You can install the Knative Serving, Knative Build and Knative Monitoring components together, or individually. + +### Installing Knative Serving, Knative Build and Knative Monitoring components + +Run the following command to deploy [Knative Serving](https://github.com/knative/serving) and [Knative Build](https://github.com/knative/build) + +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` + +### Installing Knative Serving only + +Replace `release-lite.yaml` to `serving.yaml` file, the other steps are all the same as above. + +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/serving.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` + +### Installing Knative Build only -4. Ensure that the installation was successful by running the following commands until both of the Knative components show a `STATUS` of `Running`: +Replace `release-lite.yaml` to `build.yaml` file, the other steps are all the same as above. + +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/build.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl apply --filename - +``` + +Ensure that the installation was successful by running the following commands until both of the Knative components show a `STATUS` of `Running`: ``` kubectl get pods --namespace knative-serving @@ -159,12 +162,27 @@ head to the [sample apps](../serving/samples/README.md) repo. Delete the cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private): +If you use the `release-lite.yaml` to install. The clean command as follows: ```shell curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ | sed 's/LoadBalancer/NodePort/' \ | kubectl delete --filename - ``` +If you use the `serving.yaml` to install. The clean command as follows: +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/serving.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl delete --filename - +``` + +If you use the `build.yaml` to install. The clean command as follows: +```shell +curl -L https://github.com/knative/serving/releases/download/v0.2.2/build.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl delete --filename - +``` + --- Except as otherwise noted, the content of this page is licensed under the From b6453e9dd657f2e91114f27db8adbe54cf5c478e Mon Sep 17 00:00:00 2001 From: RichieEscarez Date: Mon, 7 Jan 2019 15:13:55 -0800 Subject: [PATCH 4/4] Re-add lost edits + improvements and fixes Redo the overwritten commit, clarify security policy steps, fix indentation errors --- install/Knative-with-ICP.md | 115 ++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 57 deletions(-) diff --git a/install/Knative-with-ICP.md b/install/Knative-with-ICP.md index d2eb7bd1aa8..01474b547ac 100644 --- a/install/Knative-with-ICP.md +++ b/install/Knative-with-ICP.md @@ -11,7 +11,7 @@ You can find [guides for other platforms here](README.md). ### Install IBM Cloud Private -Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster. Before you can install Knative, you must first complete all the steps that are provided in the [IBM Cloud Private standard cluster installation instructions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html). +Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud/private) cluster. Before you can install Knative, you must first complete all the steps that are provided in the [IBM Cloud Private standard cluster installation instructions](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/installing/install_containers.html). For Example: 1. Install Docker for your boot node only @@ -25,23 +25,26 @@ Knative requires a v3.1.1 standard [IBM Cloud Private](https://www.ibm.com/cloud 6. Verify the status of your installation +### Configure IBM Cloud Private security policies -### Update the image security policy -You need to update the [image security policy](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) to allow the cluster to pull the Knative image when you enable the `image-security-enforcement` at the time of [IBM Cloud Private](https://www.ibm.com/cloud/private) installation. +You need to create and set both the image security and pod security policies before you install Knative in your cluster. -1. Edit the image security policy. +#### Update the image security policy +Update the [image security policy (`image-security-enforcement`)](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_images/image_security.html) in IBM Cloud Private to allow the access to the Knative image: + +1. Edit the image security policy: ``` kubectl edit clusterimagepolicies ibmcloud-default-cluster-image-policy ``` -2. Update `spec.repositories` by adding `"gcr.io/knative-releases/*"` +2. Update `spec.repositories` by adding `"gcr.io/knative-releases/*"`, for example: ```yaml spec: repositories: - name: "gcr.io/knative-releases/*" ``` -### Update pod security policy +#### Update pod security policy Configure the namespaces `knative-serving` into pod security policy `ibm-privileged-psp`. The step as follows: 1. Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use `ibm-privileged-psp`. Run the following command: @@ -64,7 +67,9 @@ Configure the namespaces `knative-serving` into pod security policy `ibm-privile EOF ``` -2. Set up cluster role binding for the service account in Knative namespace. By using this role binding, you can set the service accounts in the namespace to use the pod security policy that you created. +2. In the Knative installation steps below, you have the option of installing a Knative installation bundle or individual components. For each component that you install, you must create a cluster role binding between the service account of the Knative namespace and the `ibm-privileged-psp` pod security policy that you created. + + For example to create a role binding for the `knative-serving` namespace, run the following command: ```shell cat < Note: Instead of rerunning the command, you can add `--watch` to the above command to view the component's status updates in real time. Use CTRL+C to exit watch mode. @@ -160,28 +161,28 @@ head to the [sample apps](../serving/samples/README.md) repo. ## Cleaning up -Delete the cluster on [IBM Cloud Private](https://www.ibm.com/cloud/private): - -If you use the `release-lite.yaml` to install. The clean command as follows: -```shell -curl -L https://github.com/knative/serving/releases/download/v0.2.2/release-lite.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl delete --filename - -``` - -If you use the `serving.yaml` to install. The clean command as follows: -```shell -curl -L https://github.com/knative/serving/releases/download/v0.2.2/serving.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl delete --filename - -``` - -If you use the `build.yaml` to install. The clean command as follows: -```shell -curl -L https://github.com/knative/serving/releases/download/v0.2.2/build.yaml \ - | sed 's/LoadBalancer/NodePort/' \ - | kubectl delete --filename - -``` +To remove Knative from your IBM Cloud Private cluster by running one of the following commands: + +* If you installed `release-lite.yaml`, run: + ```shell + curl -L https://github.com/knative/serving/releases/download/v0.2.3/release-lite.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl delete --filename - + ``` + +* If you installed `serving.yaml`, run: + ```shell + curl -L https://github.com/knative/serving/releases/download/v0.2.3/serving.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl delete --filename - + ``` + +* If you installed `build.yaml`, run: + ```shell + curl -L https://github.com/knative/serving/releases/download/v0.2.3/build.yaml \ + | sed 's/LoadBalancer/NodePort/' \ + | kubectl delete --filename - + ``` ---