Shared
Airgapped clusters
If your nodes are airgapped and don't have access to common internet registries, first follow Airgapped clusters to fetch Portworx images.
Select nodes where Portworx will installed
OpenShift Container Platform 3.9 started restricting where pods can be installed (see reference), Portworx Operator will install pods only on nodes that have the label node-role.kubernetes.io/compute=true.
If you want to install Portworx on additional nodes, you have 2 options:
- To allow Portworx pods on all nodes in let's say
<px-namespace>namespace run:
oc patch namespace <px-namespace> -p '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
- Alternatively, add the following label to the individual nodes where you want Portworx to run:
oc label nodes mynode1 node-role.kubernetes.io/compute=true
Add the Portworx service accounts to the privileged security context
Portworx runs as a privileged container. Hence you need to add the Portworx service accounts to the privileged security context.
oc adm policy add-scc-to-user privileged system:serviceaccount:<px-namespace>:px-account
oc adm policy add-scc-to-user privileged system:serviceaccount:<px-namespace>:portworx-pvc-controller-account
oc adm policy add-scc-to-user privileged system:serviceaccount:<px-namespace>:px-lh-account
oc adm policy add-scc-to-user anyuid system:serviceaccount:<px-namespace>:px-lh-account
oc adm policy add-scc-to-user anyuid system:serviceaccount:default:default
oc adm policy add-scc-to-user privileged system:serviceaccount:<px-namespace>:px-csi-account
Prepare a docker-registry credentials secret
note
This is required in order to retrieve the images from a secure registry. Set these credentials using access information for the Docker registry.
- Confirm the username/password works (example: user:john, passwd:s3cret):
docker login -u john -p s3cret mysecure.registry.com
- Configure username/password as a Kubernetes "docker-registry" secret (e.g. "regcred")
oc create secret docker-registry regcred \
--docker-server=mysecure.registry.com \
--docker-username=john \
--docker-password=s3cret \
--docker-email=username@company.com \
-n <px-namespace>