Install on IBM Cloud Private

This guide walks you through the installation of the latest version of Knative Serving and Knative Build using pre-built images and demonstrates creating and deploying an image of a sample hello world app onto the newly created Knative cluster on IBM Cloud Private.

You can find guides for other platforms here.

Before you begin

Install IBM Cloud Private

Knative requires a v3.1.1 standard IBM Cloud Private cluster. Before you can install Knative, you must first complete all the steps that are provided in the IBM Cloud Private standard cluster installation instructions. For Example:

  1. Install Docker for your boot node only

  2. Set up the installation environment

  3. Customize your cluster

  4. Set up Docker for your cluster nodes

  5. Deploy the environment

  6. Verify the status of your installation

Configure IBM Cloud Private security policies

You need to create and set both the image security and pod security policies before you install Knative in your cluster.

Update the image security policy

Update the image security policy (image-security-enforcement) in IBM Cloud Private to allow the access to the Knative image:

  1. Edit the image security policy:
   kubectl edit clusterimagepolicies ibmcloud-default-cluster-image-policy
  1. Update spec.repositories by adding the following entries, for example: ```yaml spec: repositories:
    • name: gcr.io/knative-releases/*
    • name: k8s.gcr.io/*
    • name: quay.io/* ```

Update pod security policy

Configure the namespaces knative-serving into pod security policy ibm-privileged-psp. The step as follows:

  1. Create a cluster role for the pod security policy resource. The resourceNames for this role must be the name of the pod security policy that was created previous. Here we use ibm-privileged-psp. Run the following command:
   cat <<EOF | kubectl apply --filename -
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: knative-role
   rules:
   -
     apiGroups:
       - extensions
     resourceNames:
       - ibm-privileged-psp
     resources:
       - podsecuritypolicies
     verbs:
       - use
   EOF
  1. In the Knative installation steps below, you have the option of installing a Knative installation bundle or individual components. For each component that you install, you must create a cluster role binding between the service account of the Knative namespace and the ibm-privileged-psp pod security policy that you created.

For example to create a role binding for the knative-serving namespace, run the following command:

   cat <<EOF | kubectl apply --filename -
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: knative-serving-psp-users
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: knative-role
   subjects:
   -
     apiGroup: rbac.authorization.k8s.io
     kind: Group
     name: "system:serviceaccounts:knative-serving"
   EOF

Important: If you choose to install the Knative Build or observability plugin, you must also create cluster role bindings for the service accounts in theknative-build and knative-monitoring namespaces.

Installing Istio

Follow the instructions to install and run Istio in IBM Cloud Private.

Installing Knative

The following commands install all available Knative components as well as the standard set of observability plugins. To customize your Knative installation, see Performing a Custom Knative Installation.

  1. If you are upgrading from Knative 0.3.x: Update your domain and static IP address to be associated with the LoadBalancer istio-ingressgateway instead of knative-ingressgateway. Then run the following to clean up leftover resources:
   kubectl delete svc knative-ingressgateway -n istio-system
   kubectl delete deploy knative-ingressgateway -n istio-system

If you have the Knative Eventing Sources component installed, you will also need to delete the following resource before upgrading:

   kubectl delete statefulset/controller-manager -n knative-sources

While the deletion of this resource during the upgrade process will not prevent modifications to Eventing Source resources, those changes will not be completed until the upgrade process finishes.

  1. Run the following commands to install Knative:
   curl -L https://github.com/knative/serving/releases/download/v0.5.0/serving.yaml \
     | sed 's/LoadBalancer/NodePort/' \
     | kubectl apply --filename -
   curl -L https://github.com/knative/build/releases/download/v0.5.0/build.yaml \
     | sed 's/LoadBalancer/NodePort/' \
     | kubectl apply --filename -
   curl -L https://github.com/knative/eventing/releases/download/v0.5.0/release.yaml \
     | sed 's/LoadBalancer/NodePort/' \
     | kubectl apply --filename -
   curl -L https://github.com/knative/eventing-sources/releases/download/v0.5.0/eventing-sources.yaml \
     | sed 's/LoadBalancer/NodePort/' \
     | kubectl apply --filename -
   curl -L https://github.com/knative/serving/releases/download/v0.5.0/monitoring.yaml \
     | sed 's/LoadBalancer/NodePort/' \
     | kubectl apply --filename -
   curl -L https://raw.githubusercontent.com/knative/serving/v0.5.0/third_party/config/build/clusterrole.yaml \
     | sed 's/LoadBalancer/NodePort/' \
     | kubectl apply --filename -

Note: If your install fails on the first attempt, try rerunning the commands. They will likely succeed on the second attempt. For background info and to track the upcoming solution to this problem, see issues #968 and #1036.

Note: For the v0.4.0 release and newer, the clusterrole.yaml file is required to enable the Build and Serving components to interact with each other.

See Installing logging, metrics, and traces for details about installing the various supported observability plug-ins.

  1. Monitor the Knative components until all of the components show a STATUS of Running:
   kubectl get pods --namespace knative-serving
   kubectl get pods --namespace knative-build
   kubectl get pods --namespace knative-eventing
   kubectl get pods --namespace knative-sources
   kubectl get pods --namespace knative-monitoring

Note: Instead of rerunning the command, you can add --watch to the above command to view the component’s status updates in real time. Use CTRL+C to exit watch mode.

Now you can deploy an app to your newly created Knative cluster.

What’s next

Now that your cluster has Knative installed, you can see what Knative has to offer.

To deploy your first app with Knative, follow the step-by-step Getting Started with Knative App Deployment guide.

Note: When looking up the IP address to use for accessing your app, you need the address used for ICP. The following command looks up the value to use for the {IP_ADDRESS} placeholder in the samples:

echo $(ICP cluster ip):$(kubectl get svc istio-ingressgateway --namespace istio-system \
--output 'jsonpath={.spec.ports[?(@.port==80)].nodePort}')

To get started with Knative Eventing, walk through one of the Eventing Samples.

To get started with Knative Build, read the Build README, then choose a sample to walk through.

Cleaning up

To remove Knative from your IBM Cloud Private cluster, run the following commands:

curl -L https://github.com/knative/serving/releases/download/v0.5.0/serving.yaml \
 | sed 's/LoadBalancer/NodePort/' \
 | kubectl delete --filename -
curl -L https://github.com/knative/build/releases/download/v0.5.0/build.yaml \
 | sed 's/LoadBalancer/NodePort/' \
 | kubectl delete --filename -
curl -L https://github.com/knative/eventing/releases/download/v0.5.0/release.yaml \
 | sed 's/LoadBalancer/NodePort/' \
 | kubectl delete --filename -
curl -L https://github.com/knative/eventing-sources/releases/download/v0.5.0/eventing-sources.yaml \
 | sed 's/LoadBalancer/NodePort/' \
 | kubectl delete --filename -
curl -L https://github.com/knative/serving/releases/download/v0.5.0/monitoring.yaml \
 | sed 's/LoadBalancer/NodePort/' \
 | kubectl delete --filename -

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License.