Running Knative on On-Premise Kubernetes Cluster — IBM Cloud Private

Installation of Knative

kubectl apply -f label namespace default istio-injection=enabledkubectl apply -f

Running Knative Service with Docker Images from Private Registry

kubectl create secret docker-registry admin.regkey 
--docker-server=mycluster.icp:8500 --docker-username=admin --docker-password=**** --docker-email=admin@mycluster.icp
kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"admin.regkey\"}]}'
kubectl describe my-hello-world

Issue Fix 1: Use of Ubound to Allow Private Name Resolving

kubectl create ns mydnshelm install --namespace=mydns --set localRecords[0].name=mycluster.icp,localRecords[0].ip=,allowedIpRanges[0]= stable/unbound --tls
kubectl -n mydns get svc | grep ClusterIP | awk '{print $3}'
apiVersion: v1
stubDomains: |
{"icp": [""]}
kind: ConfigMap
labels: EnsureExists
name: kube-dns
namespace: kube-system

Issue Fix 2: Add Root CA Cert for Self Signed Certificate of the Private Registry

  1. Add the trusted self-signed CA cert of the private registry into the default root CA cert.
cat ca-certificates.crt.old >
kubectl -n knative-serving create cm my-root-ca

Testing with Curl and Browser

kubectl get my-hello-world -o jsonpath='{.status.domain}'
kubectl get svc knative-ingressgateway -n istio-system -o 'jsonpath={.spec.ports[?(@.port==80)].nodePort}'
curl -H "Host:"
Use ModHeader to add Host Header

Issue Fix 3. Auto scaling failure due to ClusterRole Binding Privileged Container

kind: ClusterRoleBinding
name: knative-serving-#{service_account}-privileged
kind: ClusterRole
name: privileged
- kind: ServiceAccount
name: #{service_account}
namespace: knative-serving



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store