Installing an agent in a Kubernetes cluster#

1. The UrbanCode agent must have a UrbanCode Deploy server or relay to connect to.
2. A PersistentVolume that will hold the conf directory for the UrbanCode Deploy agent is required. If your cluster supports dynamic volume provisioning you will not need to create a PersistentVolume (PV) or PersistentVolumeClaim (PVC) before installing this chart. If your cluster does not support dynamic volume provisioning, you will need to either ensure a PV is available or you will need to create one before installing this chart. You can optionally create the PVC to bind it to a specific PV, or you can let the chart create a PVC and bind to any available PV that meets the required size and storage class. Sample YAML to create the PV and PVC are provided below.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: ucdr-conf-vol
  labels:
    volume: ucdr-conf-vol
spec:
  capacity:
    storage: 10Mi
  accessModes:
    -ReadWriteOnce
  nfs:
    server: 192.168.1.17
    path: /volume1/k8/ucdr-conf

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: ucdr-conf-volc
spec:
  storageClassName: ""
  accessModes:
    -"ReadWriteOnce"
  resources:
    requests:
      storage: 10Mi
  selector:
    matchLabels:
      volume: ucdr-conf-vol

Example setup scripts to create the Persistent Volume and Persistent Volume Claim are included in the Helm chart under pak_extensions/pre-install/persistentStorageAdministration directory.

PodSecurityPolicy Requirements

This chart requires a PodSecurityPolicy to be bound to the target namespace prior to installation. Choose either a predefined PodSecurityPolicy or have your cluster administrator create a custom PodSecurityPolicy for you.

The predefined PodSecurityPolicy named ibm-restricted-psp has been verified for this chart, if your target namespace is bound to this PodSecurityPolicy you can proceed to install the chart.

This chart also defines a custom PodSecurityPolicy which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom PodSecurityPolicy using the Cluster Console user interface or the supplied instructions/scripts in the pak_extension pre-install directory.

• From the user interface, you can copy and paste the following snippets to enable the custom PodSecurityPolicy.

  • Custom PodSecurityPolicy definition:

    ```

    apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: annotations: kubernetes.io/description: "This policy is based on the most restrictive policy, requiring pods to run with a non-root UID, and preventing pods from accessing the host." seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default name: ibm-ucd-prod-psp spec: allowPrivilegeEscalation: false forbiddenSysctls: -'*' fsGroup: ranges: -max: 65535 min: 1 rule: MustRunAs hostNetwork: false hostPID: false hostIPC: false requiredDropCapabilities: -ALL runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: ranges: -max: 65535 min: 1 rule: MustRunAs volumes: -configMap -emptyDir -projected -secret -downwardAPI -persistentVolumeClaim

    ```

  • Custom ClusterRole for the custom PodSecurityPolicy:

    ```

    apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ibm-ucd-prod-clusterrole rules: - apiGroups: - extensions resourceNames: - ibm-ucd-prod-psp resources: - podsecuritypolicies verbs: - use

    ```

  • RoleBinding for all service accounts in the current namespace. Replace {{ NAMESPACE }} in the template with the actual namespace.

    ```

    apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ibm-ucd-prod-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ibm-ucd-prod-clusterrole subjects: -apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts:{{ NAMESPACE }}

    ```

• From the command line, you can run the setup scripts included under pak_extensions.

  As a cluster administrator, the pre-install scripts and instructions are located at:

  • pre-install/clusterAdministration/createSecurityClusterPrereqs.sh As team admin/operator the namespace scoped scripts and instructions are located at:

  • pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh

Red Hat OpenShift SecurityContextConstraints Requirements

If running in a Red Hat OpenShift cluster, this chart requires a SecurityContextConstraints to be bound to the target namespace prior to installation. To meet this requirement there may be cluster scoped as well as namespace scoped pre and post actions that need to occur.

The predefined SecurityContextConstraints name: ibm-restricted-scc has been verified for this chart, if your target namespace is bound to this SecurityContextConstraints resource you can proceed to install the chart.

This chart defines a custom SecurityContextConstraints which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom SecurityContextConstraints resource using the supplied instructions or scripts in the pak_extensions/pre-install directory.

• From the user interface, you can copy and paste the following snippets to enable the custom SecurityContextConstraints

  • Custom SecurityContextConstraints definition: ```

  apiVersion: security.openshift.io/v1kind: SecurityContextConstraintsmetadata: annotations: name: ibm-ucd-prod-sccallowHostDirVolumePlugin: falseallowHostIPC: falseallowHostNetwork: falseallowHostPID: falseallowHostPorts: falseallowPrivilegedContainer: falseallowedCapabilities: []allowedFlexVolumes: []defaultAddCapabilities: []defaultPrivilegeEscalation: falseforbiddenSysctls: -"*"fsGroup: type: MustRunAsranges: -max: 65535min: 1readOnlyRootFilesystem: falserequiredDropCapabilities: -ALLrunAsUser: type: MustRunAsNonRootseccompProfiles: -docker/defaultseLinuxContext: type: RunAsAnysupplementalGroups: type: MustRunAsranges: -max: 65535min: 1volumes: -configMap -downwardAPI -emptyDir -persistentVolumeClaim -projected -secretpriority: 0 ```

• From the command line, you can run the setup scripts included under pak_extensions/pre-install As a cluster admin the pre-install instructions are located at:

  • pre-install/clusterAdministration/createSecurityClusterPrereqs.sh As team admin the namespace scoped instructions are located at:

  • pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh

Resources Required

Kubernetes 1.9

This chart deploys a single instance of the UrbanCode Deploy agent.

1. Complete the steps in Before you begin.

2. Install the chart into the namespace 'default', with the release name my-ucdagent, and reading all remaining installation values from a file named my-agent-values.yaml:

   $ helm install ibm-ucda-prod-@helmchartversion@.tgz --namespace default --name my-ucdagent -f my-agent-values.yaml --tls

   The below configuration section links to a list the parameters that can be set during installation.

   Tip: List all releases using helm list.

3. Check the Resources > Agentspage of the UrbanCode Deploy server user interface to verify the agent has connected successfully.

4. To uninstall/delete the my-ucdagent deployment:

   $ helm delete --purge my-ucdagent

   The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

Helm chart configuration parameters

Storage

See the Prerequisites section of this page for storage information.

Parent topic: Installing agents