diff --git a/README.adoc b/README.adoc index 12ac76c85..60c124955 100644 --- a/README.adoc +++ b/README.adoc @@ -97,6 +97,33 @@ oc create \ After the role is granted, switch back to a non-privileged user. +Jaeger Agent can be configured to be deployed as a `DaemonSet` using a `HostPort` to allow Jaeger clients in the same node to discover the agent. In OpenShift, a `HostPort` can only be set when a special security context is set. A separate service account can be used by the Jaeger Agent with the permission to bind to `HostPort`, as follows: + +[source,bash] +---- +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/hostport-scc-daemonset.yaml # <1> + +oc new-project myappnamespace +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml # <2> +oc adm policy add-scc-to-user daemonset-with-hostport -z jaeger-agent-daemonset # <3> +oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/agent-as-daemonset.yaml # <4> +---- +<1> The `SecurityContextConstraints` with the `allowHostPorts` policy +<2> The `ServiceAccount` to be used by the Jaeger Agent +<3> Adds the security policy to the service account +<4> Creates the Jaeger Instance using the `serviceAccount` created in the steps above + +WARNING: without such a policy, errors like the following will prevent a `DaemonSet` to be created: `Warning FailedCreate 4s (x14 over 45s) daemonset-controller Error creating: pods "agent-as-daemonset-agent-daemonset-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 5775: Host ports are not allowed to be used` + +After a few seconds, the `DaemonSet` should be up and running: + +[source,console] +---- +$ oc get daemonset agent-as-daemonset-agent-daemonset +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE +agent-as-daemonset-agent-daemonset 1 1 1 1 1 +---- + == Creating a new Jaeger instance Example custom resources, for different configurations of Jaeger, can be found https://github.com/jaegertracing/jaeger-operator/tree/master/deploy/examples[here]. diff --git a/deploy/examples/openshift/agent-as-daemonset.yaml b/deploy/examples/openshift/agent-as-daemonset.yaml new file mode 100644 index 000000000..8773d482b --- /dev/null +++ b/deploy/examples/openshift/agent-as-daemonset.yaml @@ -0,0 +1,10 @@ +apiVersion: jaegertracing.io/v1 +kind: Jaeger +metadata: + name: agent-as-daemonset +spec: + agent: + strategy: DaemonSet + serviceAccount: jaeger-agent-daemonset + options: + log-level: debug diff --git a/deploy/examples/openshift/hostport-scc-daemonset.yaml b/deploy/examples/openshift/hostport-scc-daemonset.yaml new file mode 100644 index 000000000..fe423317b --- /dev/null +++ b/deploy/examples/openshift/hostport-scc-daemonset.yaml @@ -0,0 +1,11 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: daemonset-with-hostport + annotations: + kubernetes.io/description: 'Allows DaemonSets to bind to a well-known host port' +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +allowHostPorts: true diff --git a/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml b/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml new file mode 100644 index 000000000..5a4d2d555 --- /dev/null +++ b/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jaeger-agent-daemonset