From c80511c4f6591d09bc685446fcbdacdd6a3f0498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juraci=20Paix=C3=A3o=20Kr=C3=B6hling?= Date: Wed, 5 Jun 2019 13:48:52 +0200 Subject: [PATCH 1/3] Added instructions for DaemonSets on OpenShift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #459 Signed-off-by: Juraci Paixão Kröhling --- README.adoc | 27 +++++++++++++++++++ .../openshift/agent-as-daemonset.yaml | 10 +++++++ deploy/hostport-scc-daemonset.yaml | 11 ++++++++ ...ervice_account_jaeger-agent-daemonset.yaml | 4 +++ 4 files changed, 52 insertions(+) create mode 100644 deploy/examples/openshift/agent-as-daemonset.yaml create mode 100644 deploy/hostport-scc-daemonset.yaml create mode 100644 deploy/service_account_jaeger-agent-daemonset.yaml diff --git a/README.adoc b/README.adoc index 12ac76c85..382d71050 100644 --- a/README.adoc +++ b/README.adoc @@ -97,6 +97,33 @@ oc create \ After the role is granted, switch back to a non-privileged user. +Jaeger Agent can be configured to be deployed as a `DaemonSet` using a `HostPort` to allow Jaeger clients in the same node to discover the agent. In OpenShift, a `HostPort` can only be set when a special security context is set. A separate service account can be used by the Jaeger Agent with the permission to bind to `HostPort`, as follows: + +[source,bash] +---- +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/hostport-scc-daemonset.yaml # <1> + +oc new-project myappnamespace +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account_jaeger-agent-daemonset.yaml # <2> +oc adm policy add-scc-to-user daemonset-with-hostport -z jaeger-agent-daemonset # <3> +oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/agent-as-daemonset.yaml # <4> +---- +<1> The `SecurityContextConstraints` with the `allowHostPorts` policy +<2> The `ServiceAccount` to be used by the Jaeger Agent +<3> Adds the security policy to the service account +<4> Creates the Jaeger Instance using the `serviceAccount` created in the steps above + +WARNING: without such a policy, errors like the following will prevent a `DaemonSet` to be created: `Warning FailedCreate 4s (x14 over 45s) daemonset-controller Error creating: pods "agent-as-daemonset-agent-daemonset-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 5775: Host ports are not allowed to be used` + +After a few seconds, the `DaemonSet` should be up and running: + +[source,console] +---- +$ oc get daemonset agent-as-daemonset-agent-daemonset +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE +agent-as-daemonset-agent-daemonset 1 1 1 1 1 +---- + == Creating a new Jaeger instance Example custom resources, for different configurations of Jaeger, can be found https://github.com/jaegertracing/jaeger-operator/tree/master/deploy/examples[here]. diff --git a/deploy/examples/openshift/agent-as-daemonset.yaml b/deploy/examples/openshift/agent-as-daemonset.yaml new file mode 100644 index 000000000..8773d482b --- /dev/null +++ b/deploy/examples/openshift/agent-as-daemonset.yaml @@ -0,0 +1,10 @@ +apiVersion: jaegertracing.io/v1 +kind: Jaeger +metadata: + name: agent-as-daemonset +spec: + agent: + strategy: DaemonSet + serviceAccount: jaeger-agent-daemonset + options: + log-level: debug diff --git a/deploy/hostport-scc-daemonset.yaml b/deploy/hostport-scc-daemonset.yaml new file mode 100644 index 000000000..fe423317b --- /dev/null +++ b/deploy/hostport-scc-daemonset.yaml @@ -0,0 +1,11 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: daemonset-with-hostport + annotations: + kubernetes.io/description: 'Allows DaemonSets to bind to a well-known host port' +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +allowHostPorts: true diff --git a/deploy/service_account_jaeger-agent-daemonset.yaml b/deploy/service_account_jaeger-agent-daemonset.yaml new file mode 100644 index 000000000..5a4d2d555 --- /dev/null +++ b/deploy/service_account_jaeger-agent-daemonset.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jaeger-agent-daemonset From 9dbee3d521aa9ca09ed36ff701aa16a0e148811c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juraci=20Paix=C3=A3o=20Kr=C3=B6hling?= Date: Wed, 5 Jun 2019 17:04:24 +0200 Subject: [PATCH 2/3] Moved new examples to OpenShift directory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Juraci Paixão Kröhling --- deploy/{ => examples/openshift}/hostport-scc-daemonset.yaml | 0 .../openshift}/service_account_jaeger-agent-daemonset.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deploy/{ => examples/openshift}/hostport-scc-daemonset.yaml (100%) rename deploy/{ => examples/openshift}/service_account_jaeger-agent-daemonset.yaml (100%) diff --git a/deploy/hostport-scc-daemonset.yaml b/deploy/examples/openshift/hostport-scc-daemonset.yaml similarity index 100% rename from deploy/hostport-scc-daemonset.yaml rename to deploy/examples/openshift/hostport-scc-daemonset.yaml diff --git a/deploy/service_account_jaeger-agent-daemonset.yaml b/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml similarity index 100% rename from deploy/service_account_jaeger-agent-daemonset.yaml rename to deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml From f6fc29a0597b810e60bb71982be1643e0663b904 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juraci=20Paix=C3=A3o=20Kr=C3=B6hling?= Date: Wed, 5 Jun 2019 17:29:55 +0200 Subject: [PATCH 3/3] Fixed path to the new files in the readme MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Juraci Paixão Kröhling --- README.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.adoc b/README.adoc index 382d71050..60c124955 100644 --- a/README.adoc +++ b/README.adoc @@ -101,10 +101,10 @@ Jaeger Agent can be configured to be deployed as a `DaemonSet` using a `HostPort [source,bash] ---- -oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/hostport-scc-daemonset.yaml # <1> +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/hostport-scc-daemonset.yaml # <1> oc new-project myappnamespace -oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/service_account_jaeger-agent-daemonset.yaml # <2> +oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml # <2> oc adm policy add-scc-to-user daemonset-with-hostport -z jaeger-agent-daemonset # <3> oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/agent-as-daemonset.yaml # <4> ----