OpenShift

    Finally you can follow the to take it from here and continue your Kuma journey.

    To run Kuma on OpenShift, you need to download a compatible version of Kuma for the machine from which you will be executing the commands.

    You can run the following script to automatically detect the operating system and download Kuma:

    You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access OpenShift:

    and extract the archive with:

    1. $ tar xvzf kuma-0.6.0*.tar.gz

    Once downloaded, you will find the contents of Kuma in the kuma-0.6.0 folder. In this folder, you will find - among other files - the bin directory that stores the executables for Kuma, including the CLI client kumactl.

    Note: On OpenShift - of all the Kuma binaries in the bin folder - we only need kumactl.

    So we enter the bin folder by executing:

    1. $ cd kuma-0.6.0/bin

    We suggest adding the kumactl executable to your PATH so that it’s always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/ by executing:

    1. ln -s ./kumactl /usr/local/bin/kumactl
    1. $ ./kumactl install control-plane --cni-enabled | oc apply -f -

    Starting from version 4.1 OpenShift utilizes nftables instead of iptables. So using init container for redirecting traffic to the proxy is no longer works. Instead, we use kuma-cni which could be installed with --cni-enabled flag.

    By default and ValidatingAdmissionWebhook are disabled on OpenShift 3.11. In order to make it work add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:

    After updating master-config.yaml restart the cluster and install control-plane:

    1. $ ./kumactl install control-plane | oc apply -f -

    This example will run Kuma in standalone mode for a “flat” deployment, but there are more advanced .

    It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:

      Kuma (kuma-cp) will be installed in the newly created kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc, the HTTP API, or the CLI:

      Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on port 5683.

      To access Kuma we need to first port-forward the GUI service with:

      1. $ oc port-forward svc/kuma-control-plane -n kuma-system 5683:5683

      And then you can navigate to 127.0.0.1:5683 to see the GUI.

      1. $ oc get meshes
      2. NAME          AGE

      or you can enable mTLS on the default Mesh with:

      Kuma ships with a read-only HTTP API that you can use to retrieve Kuma resources.

      By default the HTTP API listens on port 5681. To access Kuma we need to first port-forward the API service with:

      1. $ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

      And then you can navigate to to see the HTTP API.

      You can use the kumactl CLI to perform read-only operations on Kuma resources. The kumactl binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:

      1. $ oc port-forward svc/kuma-control-plane -n kuma-system 5681:5681

      and then run kumactl, for example:

      1. $ kumactl get meshes
      2. NAME          mTLS      METRICS      LOGGING   TRACING

      You can configure kumactl to point to any remote kuma-cp instance by running:

      1. $ kumactl config control-planes add --name=XYZ --address=http://{address-to-kuma}:5681

      You will notice that Kuma automatically creates a Mesh entity with name default.

      Kuma explicitly specifies UID for kuma-dp to avoid capturing traffic from itself. For that reason, special privilege has to be granted to application namespace:

      In order to start using Kuma, it’s time to check out the deployments.