With the recent announcement of VMware and Bitnami joining forces, I wanted to revisit the kubeapps project on Enterprise PKS earlier today. I followed the community documentation but ran into some smaller issues (see my GitHub comments here) that were coming up in the MongoDB deployment initially and that turned out to be related to the “–enable-admission-plugins=SecurityContextDeny” flag on the Kubernetes API server. Enterprise PKS has a default setting to not enable privileged containers and therefore, the flag “–enable-admission-plugins=SecurityContextDeny” is set on the API server. As such, “runAsUser” did not work for MongoDB. This setting can be changed on a per-plan basis in PKS 1.3.

  • You have to set “Enable Privileged Containers – Use with caution” in your Enterprise PKS plan configuration (tested with PKS 1.3.6), save the settings and apply changes in Ops Manager (including the “Upgrade Cluster Errand” to run for changes to be applied to the K8s config as well).
  • Install Helm
  • Add the bitnami repo:
helm repo add bitnami https://charts.bitnami.com/bitnami
  • Add a “kubeapps” namespace to deploy into
kubectl create namespace kubeapps
vi rbac-config-tiller.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
kind: ServiceAccount
name: tiller
namespace: kube-system
---
kubectl create -f rbac-config-tiller.yaml
  • Leverage newly created service account for Tiller:
helm init --service-account tiller
kubectl create serviceaccount kubeapps-operator 

kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator

kubectl get secret $(kubectl get serviceaccount kubeapps-operator -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode
  • Copy the secret for use in the kubeapps dashboard later on.
  • Since NSX-T brings an out-of-the-box capability for exposing kubeapps to an external IP address, we can use LoadBalancer and skip the port-forwarding section of the documentation. Following what I found in another bug, I set some extra flags for disabling IPv6:
helm install --name kubeapps --namespace kubeapps bitnami/kubeapps --set frontend.service.type=LoadBalancer --set mongodb.mongodbEnableIPv6=false

After a few minutes, the deployed services & deployments should be up and running:

Follow then part three of the instructions to access the dashboard.

Share this:

  • Share
  • Twitter
  • Facebook
  • LinkedIn
  • Email
是白的 我是一个勤奋的爬虫~~
{{uname}}

{{meta.replies}} 条回复
写下第一个评论!

-----------到底了-----------