apiVersion: v1
kind: PersistentVolume
metadata:
name: ucdr-conf-vol
labels:
volume: ucdr-conf-vol
spec:
capacity:
storage: 10Mi
accessModes:
ReadWriteOnce
nfs:
server: 192.168.1.17
path: /volume1/k8/ucdr-conf
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: ucdr-conf-volc
spec:
storageClassName: ""
accessModes:
"ReadWriteOnce"
resources:
requests:
storage: 10Mi
selector:
matchLabels:
volume: ucdr-conf-vol
Example setup scripts to create the Persistent Volume and Persistent Volume Claim are included in the Helm chart under pak_extensions/pre-install/persistentStorageAdministration directory.
The secret can be created either by using the Cluster Console or using the kubectl CLI.
Through the Cluster Console, create Secret objects in the target namespace.
Through the kubectl CLI, create a Secret object in the target namespace. Generate the base64 encoded value for the CodeStation authentication token.
echo -n 255b21b7-ca48-4f2e-95c0-048fdbff4197 | base64
MjU1YjIxYjctY2E0OC00ZjJlLTk1YzAtMDQ4ZmRiZmY0MTk3
Create a file named secret.yaml with the following contents, using your Helm Relese name and base64 encoded values.
apiVersion: v1
kind: Secret
metadata:
name: MyRelease-secrets
type: Opaque
data:
cspassword: MjU1YjIxYjctY2E0OC00ZjJlLTk1YzAtMDQ4ZmRiZmY0MTk3
Create the Secret using kubectl apply
kubectl apply -f ./secret.yaml
Delete or shred the secret.yaml file.
PodSecurityPolicy Requirements
This chart requires a PodSecurityPolicy to be bound to the target namespace prior to installation. Choose either a predefined PodSecurityPolicy or have your cluster administrator create a custom PodSecurityPolicy for you.
The predefined PodSecurityPolicy named ibm-restricted-psp has been verified for this chart, if your target namespace is bound to this PodSecurityPolicy you can proceed to install the chart.
This chart also defines a custom PodSecurityPolicy which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom PodSecurityPolicy using the Cluster Console user interface or the supplied instructions/scripts in the pak_extension pre-install directory.
From the user interface, you can copy and paste the following snippets to enable the custom PodSecurityPolicy
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
kubernetes.io/description: "This policy is based on the most restrictive policy,
requiring pods to run with a non-root UID, and preventing pods from accessing the host."
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
name: ibm-ucd-prod-psp
spec:
allowPrivilegeEscalation: false
forbiddenSysctls:
- '*'
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
hostNetwork: false
hostPID: false
hostIPC: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ibm-ucd-prod-clusterrole
rules:
- apiGroups:
- extensions
resourceNames:
- ibm-ucd-prod-psp
resources:
- podsecuritypolicies
verbs:
- use
{{NAMESPACE }}
in the template with the actual namespace. apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ibm-ucd-prod-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ibm-ucd-prod-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:{{ NAMESPACE }}
From the command line, you can run the setup scripts included under pak_extensions.
As a cluster administrator, the pre-install scripts and instructions are located at:
As team admin/operator the namespace scoped scripts and instructions are located at:
Red Hat OpenShift SecurityContextConstraints Requirements
If running in a Red Hat OpenShift cluster, this chart requires a SecurityContextConstraints to be bound to the target namespace prior to installation. To meet this requirement there may be cluster scoped as well as namespace scoped pre and post actions that need to occur.
The predefined SecurityContextConstraints name: ibm-restricted-scc has been verified for this chart, if your target namespace is bound to this SecurityContextConstraints resource you can proceed to install the chart.
This chart defines a custom SecurityContextConstraints which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom SecurityContextConstraints resource using the supplied instructions or scripts in the pak_extensions/pre-install directory.
From the user interface, you can copy and paste the following snippets to enable the custom SecurityContextConstraints
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
name: ibm-ucd-prod-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities: []
allowedFlexVolumes: []
defaultAddCapabilities: []
defaultPrivilegeEscalation: false
forbiddenSysctls:
- "*"
fsGroup:
type: MustRunAs
ranges:
- max: 65535
min: 1
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seccompProfiles:
- docker/default
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: MustRunAs
ranges:
- max: 65535
min: 1
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
priority: 0
From the command line, you can run the setup scripts included under pak_extensions/pre-install As a cluster admin the pre-install instructions are located at:
As team admin the namespace scoped instructions are located at:
Resources Required
Kubernetes 1.9
Helm chart configuration parameters
Storage
See the Prerequisites section of this page for storage information.