Running Knative on On-Premise Kubernetes Cluster — IBM Cloud Private

Installation of Knative

kubectl apply -f https://raw.githubusercontent.com/knative/serving/v0.1.0/third_party/istio-0.8.0/istio.yamlkubectl label namespace default istio-injection=enabledkubectl apply -f https://github.com/knative/serving/releases/download/v0.1.0/release.yaml

Running Knative Service with Docker Images from Private Registry

kubectl create secret docker-registry admin.regkey 
--docker-server=mycluster.icp:8500 --docker-username=admin --docker-password=**** --docker-email=admin@mycluster.icp
kubectl patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"admin.regkey\"}]}'
kubectl describe services.serving.knative.dev my-hello-world

Issue Fix 1: Use of Ubound to Allow Private Name Resolving

kubectl create ns mydnshelm install --namespace=mydns --set localRecords[0].name=mycluster.icp,localRecords[0].ip=192.168.64.244,allowedIpRanges[0]=10.1.0.0/16 stable/unbound --tls
kubectl -n mydns get svc | grep ClusterIP | awk '{print $3}'
apiVersion: v1
data:
stubDomains: |
{"icp": ["10.0.0.193"]}
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
name: kube-dns
namespace: kube-system

Issue Fix 2: Add Root CA Cert for Self Signed Certificate of the Private Registry

  1. Add the trusted self-signed CA cert of the private registry into the default root CA cert.
cat ca-certificates.crt.old mycluster.icp.ca.crt > new.ca.crt
kubectl -n knative-serving create cm my-root-ca --from-file=my-root-ca=new.ca.crt

Testing with Curl and Browser

kubectl get route.serving.knative.dev my-hello-world -o jsonpath='{.status.domain}'
kubectl get svc knative-ingressgateway -n istio-system -o 'jsonpath={.spec.ports[?(@.port==80)].nodePort}'
curl -H "Host: my-hello-world.default.example.com" http://192.168.64.244:32380
Use ModHeader to add Host Header

Issue Fix 3. Auto scaling failure due to ClusterRole Binding Privileged Container

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: knative-serving-#{service_account}-privileged
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged
subjects:
- kind: ServiceAccount
name: #{service_account}
namespace: knative-serving

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store