From fcfd56003d0007eb62672361ac34e95c818928ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juraci=20Paix=C3=A3o=20Kr=C3=B6hling?= Date: Wed, 5 Jun 2019 13:48:52 +0200 Subject: [PATCH] Added instructions for DaemonSets on OpenShift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #459 Signed-off-by: Juraci Paixão Kröhling --- README.adoc | 27 +++++++++++++++++++ .../openshift/agent-as-daemonset.yaml | 10 +++++++ deploy/hostport-scc-daemonset.yaml | 11 ++++++++ ...ervice_account_jaeger-agent-daemonset.yaml | 4 +++ pkg/cmd/start/main.go | 2 +- 5 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 deploy/examples/openshift/agent-as-daemonset.yaml create mode 100644 deploy/hostport-scc-daemonset.yaml create mode 100644 deploy/service_account_jaeger-agent-daemonset.yaml diff --git a/README.adoc b/README.adoc index 12ac76c853..382d71050f 100644 --- a/README.adoc +++ b/README.adoc @@ -97,6 +97,33 @@ oc create \ After the role is granted, switch back to a non-privileged user. +Jaeger Agent can be configured to be deployed as a `DaemonSet` using a `HostPort` to allow Jaeger clients in the same node to discover the agent. In OpenShift, a `HostPort` can only be set when a special security context is set. A separate service account can be used by the Jaeger Agent with the permission to bind to `HostPort`, as follows: + +[source,bash] +---- +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/hostport-scc-daemonset.yaml # <1> + +oc new-project myappnamespace +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account_jaeger-agent-daemonset.yaml # <2> +oc adm policy add-scc-to-user daemonset-with-hostport -z jaeger-agent-daemonset # <3> +oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/agent-as-daemonset.yaml # <4> +---- +<1> The `SecurityContextConstraints` with the `allowHostPorts` policy +<2> The `ServiceAccount` to be used by the Jaeger Agent +<3> Adds the security policy to the service account +<4> Creates the Jaeger Instance using the `serviceAccount` created in the steps above + +WARNING: without such a policy, errors like the following will prevent a `DaemonSet` to be created: `Warning FailedCreate 4s (x14 over 45s) daemonset-controller Error creating: pods "agent-as-daemonset-agent-daemonset-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 5775: Host ports are not allowed to be used` + +After a few seconds, the `DaemonSet` should be up and running: + +[source,console] +---- +$ oc get daemonset agent-as-daemonset-agent-daemonset +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE +agent-as-daemonset-agent-daemonset 1 1 1 1 1 +---- + == Creating a new Jaeger instance Example custom resources, for different configurations of Jaeger, can be found https://github.com/jaegertracing/jaeger-operator/tree/master/deploy/examples[here]. diff --git a/deploy/examples/openshift/agent-as-daemonset.yaml b/deploy/examples/openshift/agent-as-daemonset.yaml new file mode 100644 index 0000000000..8773d482bd --- /dev/null +++ b/deploy/examples/openshift/agent-as-daemonset.yaml @@ -0,0 +1,10 @@ +apiVersion: jaegertracing.io/v1 +kind: Jaeger +metadata: + name: agent-as-daemonset +spec: + agent: + strategy: DaemonSet + serviceAccount: jaeger-agent-daemonset + options: + log-level: debug diff --git a/deploy/hostport-scc-daemonset.yaml b/deploy/hostport-scc-daemonset.yaml new file mode 100644 index 0000000000..fe423317be --- /dev/null +++ b/deploy/hostport-scc-daemonset.yaml @@ -0,0 +1,11 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: daemonset-with-hostport + annotations: + kubernetes.io/description: 'Allows DaemonSets to bind to a well-known host port' +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +allowHostPorts: true diff --git a/deploy/service_account_jaeger-agent-daemonset.yaml b/deploy/service_account_jaeger-agent-daemonset.yaml new file mode 100644 index 0000000000..5a4d2d5555 --- /dev/null +++ b/deploy/service_account_jaeger-agent-daemonset.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jaeger-agent-daemonset diff --git a/pkg/cmd/start/main.go b/pkg/cmd/start/main.go index aa17132154..be419d2c7e 100644 --- a/pkg/cmd/start/main.go +++ b/pkg/cmd/start/main.go @@ -24,7 +24,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/runtime/signals" "github.com/jaegertracing/jaeger-operator/pkg/apis" - "github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1" + v1 "github.com/jaegertracing/jaeger-operator/pkg/apis/jaegertracing/v1" "github.com/jaegertracing/jaeger-operator/pkg/controller" "github.com/jaegertracing/jaeger-operator/pkg/version" )