1. Prepare your platform

Portworx supports Openshift 3.7 and above.

Airgapped clusters

If your nodes are airgapped and don’t have access to common internet registries, first follow Airgapped clusters to fetch Portworx images.

Select nodes where Portworx will installed

OpenShift Container Platform 3.9 started restricting where Daemonsets can install (see reference), Portworx Daemonset will get installed only on nodes that have the label node-role.kubernetes.io/compute=true.

If you want to install Portworx on additional nodes, you have 2 options.

  1. To enable Daemonsets on all nodes in kube-system namespace run:

    oc patch namespace kube-system -p '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
  2. Alternatively, add the following label to the individual nodes where you want Portworx to run:

    oc label nodes mynode1 node-role.kubernetes.io/compute=true

Add Portworx service accounts to the privileged security context

Portworx runs as a privileged container. Hence you need to add the Portworx service accounts to the privileged security context.

oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:px-account
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:portworx-pvc-controller-account
oc adm policy add-scc-to-user anyuid system:serviceaccount:default:default

Prepare a docker-registry credentials secret

This is required only if you have a secured custom registy i.e if you require docker login before you can do docker pull.
  • Confirm the username/password works (e.g. user:john, passwd:s3cret)

    docker login -u john -p s3cret mysecure.registry.com
  • Configure username/password as a Kubernetes “docker-registry” secret (e.g. “regcred”)

    oc create secret docker-registry regcred --docker-server=mysecure.registry.com \
    --docker-username=john --docker-password=s3cret --docker-email=test@acme.org \
    -n kube-system

Last edited: Thursday, Feb 7, 2019