Some customers require Container Canaries running on OpenShift. While not an official first-class supported platform, this guide while get you up and running with them in no time.

The default the OpenShift configuration is too restrictive for the Container Canary to run, and will throw an error. The Canary service runs on many different multi-user platforms, organising different tasks to be run by different users. The containerised Canary service too makes use of this similar organisation. OpenShift's default Security Context Constraints (SCC) is called restricted which blocks this. This guide shows how to run Container Canary in a pod under the anyuid SCC instead which allows this.

This guide requires cluster admin privileges to follow as it creates a new service account, with a new role, to deploy the Container Canary pod. This works for the OpenShift installs that are Managed Services (deployed to your own Cloud provider accounts) but won't work in the trial Developer sandbox install that RedHat hosts - as you don't get cluster admin privileges.

Creating a Service Account for deployment

Step 1

If you don't have it already, install the OpenShift Client CLI (oc) (on Mac OS you can quickly install it using brew install openshift-cli )

Step 2

Head to your cluster console and login, and get and run the oc login command which looks like below:

oc login --token=sha256~FF...ZlNZY --server=https://api.<cluster-name>.n0pc.p1.openshiftapps.com:6443

Step 3

Create a new service account, thinkst-canary, for the Canary container pod deployment (the user may have any name)

oc create sa thinkst-canary

Step 4

Create a role with the anyuid SCC

oc create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: scc-anyuid
namespace: default
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- anyuid
resources:
- securitycontextconstraints
verbs:
- use
EOF

Step 5

Bind the new role to the thinkst-canary service account created in step 3

oc create -f - <<EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-to-scc-anyuid
namespace: default
subjects:
- kind: ServiceAccount
name: thinkst-canary
roleRef:
kind: Role
name: scc-anyuid
apiGroup: rbac.authorization.k8s.io
EOF

You are now ready to deploy the Container Canary as a pod using the new service account.

Deploying a container with Service Account

Step 5

Head to your Console and to Add Docker Canary to find the Kubernetes pod configuration section you'll use below:

Step 6

Configure the secret needed to access the Canary images by using the top part of the configuration above (this only needs to be done once, not every time a new Container Canary is deployed)

oc apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: canarydockercreds
namespace: default
data:
.dockerconfigjson: KVG+h2OpLDRg9PA/KI4K0txbg5t6uupk/ukUei47t2TiJ36JL0Xo97kNeiD2B0o+H7vNw82yF1+xh8+iYnkZvAxIKA1hXM0qtr9h9XOukUmyHmW5cbXHZ9YHTwnwdqvn9to6vnVd82XlIXk4YmIP55qNxxDwxENUHKWxvsGkfGpj/u4W
type: kubernetes.io/dockerconfigjson
EOF

Step 7

Configure the Container Canary Pod, using the bottom part of pod configuration from the Console, but add the service account created in step 3 to the spec section:

oc apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: canarypod-1234
namespace: default
spec:
serviceAccount: thinkst-canary
serviceAccountName: thinkst-canary
containers:
- name: canarydocker
image: thinkstcanary/dockercanary@sha256:3e2c74387420121a2c8b209a9cfdafffe459ee8b203185d858da8dc8cb67ea7c
imagePullPolicy: Always
env:
- name: CONSOLE_PUBLIC_KEY
value: "83r45TLlP6ciOhcnQniu7uOwkRS2Cn9iU732SAZppl9hvAo="
- name: LISTEN_DOMAIN
value: "3696f2a9.cnr.io"

imagePullSecrets:
- name: canarydockercreds
EOF

A new Container Canary will shortly be live on your Console!