• OpenShift

    OpenShift

    依照本指南对 OpenShift 集群进行配置以便安装运行 Istio。

    缺省情况下,OpenShift 不允许容器使用 User ID(UID) 0 来运行。下面的命令让 Istio 的 Service account 可以使用 UID 0 来运行容器:

    1. $ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
    2. $ oc adm policy add-scc-to-user anyuid -z default -n istio-system
    3. $ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system
    4. $ oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
    5. $ oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
    6. $ oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
    7. $ oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
    8. $ oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
    9. $ oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
    10. $ oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
    11. $ oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
    12. $ oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system
    13. $ oc adm policy add-scc-to-user anyuid -z istio-security-post-install-account -n istio-system

    上面列出的 Service account 会分配给 Istio。如果要启动其它的 Istio 服务,例如 Grafana ,就需要使用类似命令来为其设置 Service account。

    运行应用的 Service account 需要在安全上下文中具备一定特权,这也是 Sidecar 注入过程的一部分:

    1. $ oc adm policy add-scc-to-user privileged -z default -n <target-namespace>