Skip to content

Join an OCP cluster to service mesh

OCP (OpenShift Container Platform) is a container platform launched by Red Hat.

This page describes the operation steps for connecting the service mesh to the OCP platform.

SCC Security Policy Settings

In the Openshift cluster, add the privileged user permission of the namespace to the service mesh, taking the two namespaces istio-operator and istio-system as examples:

oc adm policy add-scc-to-user privileged system:serviceaccount:istio-operator:istio-operator
oc adm policy add-scc-to-user privileged system:serviceaccount:istio-system:istio-system

Connect to Openshift cluster

Create a mesh, hooked up to an Openshift cluster. Return to the mesh list and find that the Openshift cluster has been successfully connected.

But the backend will report an error:

COMMIT
2022-10-27T07:06:50.610621Z info Running command: iptables-restore --noflush /tmp/iptables-rules-1666854410610268141.txt1105821213
2022-10-27T07:06:50.616716Z error Command error output: xtables parameter problem: iptables-restore: unable to initialize table 'nat'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2022-10-27T07:06:50.616746Z error Failed to execute: iptables-restore --noflush /tmp/iptables-rules-1666854410610268141.txt1105821213, exit status 2

Eliminate the error with the following steps.

OCP activate iptables

Modify YAML

Refer to the following YAML and modify the deployment according to the actual environment:

apiVersion: apps/v1
kind: DaemonSet
metadata:
   name: dsm-init
   namespace: openshift-sdn
spec:
   revisionHistoryLimit: 10
   selector:
     matchLabels:
       app: dsm-init
   template:
     metadata:
       labels:
         app: dsm-init
         type: infra
     spec:
       containers:
       - command:
         - /bin/sh
         - -c
         -|
           #!/bin/sh
           set -x
           iptables -t nat -A OUTPUT -m tcp -p tcp -m owner ! --gid-owner 1337 -j REDIRECT --to-ports 15006
           iptables -t nat -D OUTPUT -m tcp -p tcp -m owner ! --gid-owner 1337 -j REDIRECT --to-ports 15006
           while true; do sleep 100d; done
         image: release.daocloud.io/mspider/proxyv2:1.15.0 # Modify the mirror address of the proxy
         name: dsm-init
         resources:
           requests:
             cpu: 100m
             memory: 20Mi
         securityContext:
           privileged: true
       dnsPolicy: ClusterFirst
       hostNetwork: true
       hostPID: true
       nodeSelector:
         kubernetes.io/os:linux
       priorityClassName: system-node-critical
       restartPolicy: Always
       schedulerName: default-scheduler
       securityContext: {}
       serviceAccount: sdn
       serviceAccountName: sdn

Add parameters

Add the following line of parameters to the globalmesh YAML:

istio.custom_params.components.cni.enabled: "true"

Note

OpenShift 4.1+ drops iptables in favor of nftables. Therefore, the istio CNI plug-in needs to be installed, otherwise the following error will occur during sidecar injection, that is, the iptables-resotre command cannot be executed.

istio iptables-restore: unable to initialize table 'nat'

Deploy istio-cni

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
   components:
     cni:
       enabled: true
       namespace: istio-system
   values:
     sidecarInjectorWebhook:
       injectedAnnotations:
         k8s.v1.cni.cncf.io/networks:istio-cni
     cni:
       excludeNamespaces:
         -istio-system
       psp_cluster_role: enabled
       cniBinDir: /var/lib/cni/bin
       cniConfDir: /etc/cni/multus/net.d
       cniConfFileName: istio-cni.conf
       chained: false

Comments