-
Download the archive for your operating system from the Minishift v1.25.0 Release page and extract its contents
-
Copy the contents of the directory to your preferred location.
-
Add the minishift binary to your PATH environment variable.
Run the following command to verify your minishift is configured correctly:
# returns minishift v1.25.0+90fb23e
minishift version# make sure the profile is set correctly
minishift profile set knative
# Pinning to the right needed OpenShift version in this case v3.10.0
minishift config set openshift-version v3.10.0
# memory for the vm
minishift config set memory 8GB
# the vCpus for the vm
minishift config set cpus 4
# extra disk size for the vm
minishift config set disk-size 50g
# caching the images that will be downloaded during app deployments
minishift config set image-caching true
# Add new user called admin with password with role cluster-admin
minishift addons enable admin-user
# Allow the containers to be run with uid 0
minishift addons enable anyuid
# Start minishift
minishift start
eval $(minishift docker-env) && eval $(minishift oc-env)#!/bin/bash
minishift openshift config set --target=kube --patch '{
"admissionConfig": {
"pluginConfig": {
"ValidatingAdmissionWebhook": {
"configuration": {
"apiVersion": "apiserver.config.k8s.io/v1alpha1",
"kind": "WebhookAdmission"
}
},
"MutatingAdmissionWebhook": {
"configuration": {
"apiVersion": "apiserver.config.k8s.io/v1alpha1",
"kind": "WebhookAdmission"
}
}
}
}
}'-
wait for some time after this step to allow OpenShift to be restarted automatically. e.g. you can try doing
oc login -u admin -p adminuntil you are able to login again.
SCCs (Security Context Constraints) are the precursor to the PSP (Pod Security Policy) mechanism in Kubernetes.
oc project myproject # Set privileged scc to default SA in myproject oc adm policy add-scc-to-user privileged -z default # Automatic Istio sidecar injection oc label namespace myproject istio-injection=enabled kubectl get namespace --show-labels #(1)
-
This should show the myproject namespace with istio-injection=enabled label
# Grant the necessary privileges to the service accounts Istio will use:
oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z default -n istio-system
oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
oc adm policy add-cluster-role-to-user cluster-admin -z istio-galley-service-account -n istio-system
# Deploy Istio
curl -L https://storage.googleapis.com/knative-releases/serving/latest/istio.yaml \
| sed 's/LoadBalancer/NodePort/' \
| oc apply -f --
This will setup the required OpenShift security policies that are required to deploy and make Istio functional
Wait until all the pods on istio-system are up and running, you can verify it with the command oc get pods -w -n istio-system.
|
Important
|
The Istio v1.0.1 release automatic sidecar injection has removed #/bin/bash $ kubectl get cm istio-sidecar-injector -n istio-system -oyaml | sed -e 's/securityContext:/securityContext:\\n privileged: true/' | kubectl replace -f - Please run this command only once to avoid multiple additions |
Knative Serving supports deploying of serverless functions and applications on Kubernetes.
#/bin/bash
# Grant the necessary privileges to the service accounts Knative will use:
oc adm policy add-scc-to-user anyuid -z build-controller -n knative-build
oc adm policy add-scc-to-user anyuid -z controller -n knative-serving
oc adm policy add-scc-to-user anyuid -z autoscaler -n knative-serving
oc adm policy add-cluster-role-to-user cluster-admin -z build-controller -n knative-build
oc adm policy add-cluster-role-to-user cluster-admin -z controller -n knative-serving
# Deploy Knative serving
curl -L https://storage.googleapis.com/knative-releases/serving/latest/release-no-mon.yaml \
| sed 's/LoadBalancer/NodePort/' \
| oc apply -f --
This will setup the required OpenShift security policies that are required to deploy and make Knative functional
Wait until all the pods in the knative-serving are up and running, you can verify it with the command oc get pods -n knative-serving -w and oc get pods -n knative-build -w.
Lets now deploy an simple node.js application to make sure our deployment works,
cd apps/kelloworld-nodejs
docker build -t dev.local/kelloworld:0.0.1 --rm .
kubectl apply -f service.yaml
export IP_ADDRESS=$(oc get node -o 'jsonpath={.items[0].status.addresses[0].address}'):$(oc get svc knative-ingressgateway -n istio-system -o 'jsonpath={.spec.ports[?(@.port==80)].nodePort}')
export HOST_URL=$(oc get services.serving.knative.dev kelloworld -o jsonpath='{.status.domain}')
curl -H "Host: ${HOST_URL}" http://${IP_ADDRESS}
The curl above should return "Welcome Knative Serving on OpenShift".
|
Note
|
There is also utility script called call.sh inside $PROJECT_HOME/bin which can be used to call the functions.
|
If you’d like to view the available sample apps and deploy one of your choosing, head to the sample apps repo.
Cleanup all existing objects using the command:
#!bin/bash kubectl delete all --all cd $PROJECT_HOME/apps/kelloworld-nodejs/routing kubectl apply -f app.yaml (1)
-
In this case we will not use
serviceobject instead create the Knative serving objects individually.
Update the $PROJECT_HOME/apps/kelloworld-nodejs/app.js code to look like
var express = require('express');
var app = express();
const asciiart = require("ascii-art");
app.get("/", function (req, res, next) {
asciiart.font("Knative", "Doom", (rendered) => {
res.status(200).send(rendered);
});
});
app.listen(8080,function() {
console.log("App started in port 8080");
});
Build a new image using the following command,
#!bin/bash docker build -t dev.local/kelloworld:0.0.2 --rm .
Update the application configuration to create new revision:
#!bin/bash kubectl apply -f config-v2.yaml (1)
-
This should create a new revision e.g.
kelloworld-00002
Apply any one or more of the following routes to see the split of the traffic:
-
all-rev1.yaml — All traffic to revision kelloworld-00001
-
all-rev2.yaml — All traffic to revision kelloworld-00002
-
rev1-rev2_50-50.yaml — Traffic split 50-50 between kelloworld-00001 and kelloworld-00002
sources,bash]
#!bin/bash kubectl apply -f rev1-rev2_50-50.yaml
|
Tip
|
Run the script $PROJECT_HOME/bin/poll.sh on a new terminal and you can see changes to the output while applying the routes |
kubectl delete configurations.serving.knative.dev --all kubectl delete revisions.serving.knative.dev --all kubectl delete routes.serving.knative.dev --all kubectl delete services.serving.knative.dev --all (or) kubectl delete all --all