Preparing your cluster

Edit online

Prepare your cluster for the installation of Netcool® Operations Insight® on Red Hat® OpenShift®.

Follow the steps in the table to prepare your cluster.
Table 1. Preparing your cluster
Step Action
1 Provision the required machines.
The hardware architecture on which Netcool Operations Insight is installed must be with x86 based architecture, like AMD64 and Intel. Kubernetes can have a mixture of worker nodes. For operating system and other detailed system requirements, search for the latest version of the Netcool Operations Insight product in the Software Product Compatibility Reports website: https://www.ibm.com/software/reports/compatibility/clarity/softwareReqsForProduct.htmlexternal link.
2 Download and install Red Hat OpenShift.
Netcool Operations Insight must be installed by a user with administrative access on the cluster, so ensure that you have access to an administrator account on the target Red Hat OpenShift cluster.

For Red Hat OpenShift documentation, see https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/ external link

For Red Hat OpenShift videos, see: https://www.youtube.com/user/rhopenshift/videos external link

Install the OpenShift command line interface (oc) on your cluster's boot node. Run the oc login command. For more information, see Getting started with the OpenShift CLI external link in the Red Hat OpenShift documentation.
3 Create a custom namespace to deploy into. 
oc create namespace namespace
Where namespace is the name of the custom namespace that you want to create.
Optional: If you want multiple independent installations of Netcool Operations Insight within the cluster, then create multiple namespaces within your cluster. Run each installation in a separate namespace. Additional disk space and worker nodes are required to support multiple installations.
4 Create a docker registry secret to enable your deployment to pull Netcool Operations Insight images from the IBM® Entitled Registry.
  1. Obtain the entitlement key that is assigned to your IBM ID which will grant you access to the IBM Entitled Registry. Log into https://myibm.ibm.com/products-services/containerlibrary external link with the account (username and password) that has entitlement to IBM software. The key that is displayed is the key that will be used when accessing the Entitled Registry.
  2. Select Copy key to copy the entitlement key to the clipboard, in the Entitlement keys section.
  3. Run the following command to create the entitlement key secret: 
    oc create secret docker-registry noi-registry-secret 
--docker-username=cp
--docker-password=entitlement_key 
--docker-server=cp.icr.io
--namespace=namespace
Where:
  • noi-registry-secret is the name of the entitlement key secret that you are creating to pull the Netcool Operations Insight images from the IBM® Entitled Registry. Suggested value is noi-registry-secret.
  • entitlement_key is the entitlement key that you copied in the previous step.
  • namespace is the namespace that you want to deploy Netcool Operations Insight in.
Note: This step assumes that the cluster has internet access to: cp.icr.io, which is IBM's Entitled Registry. An exemption is typically made available for this along with other registries. If a connection to these registries is not permitted due to security constraints, then a production grade Docker 2 compatible image registry must be provided and an airgap installation performed to mirror the external image registries internally. For more information, see Installing Netcool Operations Insight in an air-gapped environment (offline) with a bastion host for a full cloud install, or Installing cloud native Netcool Operations Insight components in an air-gapped environment (offline) with a bastion host for a hybrid install.
5 Ensure that your Red Hat OpenShift environment is updated to allow network policies to function correctly.
In some Red Hat OpenShift environments an additional configuration is required to allow external traffic to reach the routes. This is due to the required addition of network policies to secure pod communication traffic. For example, if you are attempting to access a route which returns a 503 Application Not Available error, then a network policy may be blocking the traffic. Check if the ingresscontroller is configured with the endpointPublishingStrategy: HostNetwork value by running the command 
oc get ingresscontroller default -n openshift-ingress-operator -o yaml
If endpointPublishingStrategy.type is set to HostNetwork, then the network policy will not work against routes unless the default namespace contains the selector label. To allow traffic, add a label to the default namespace by running the command:
oc patch namespace default --type=json -p '[{"op":"add","path":"/metadata/labels","value":{"network.openshift.io/policy-group":"ingress"}}]'
For more information, see https://docs.openshift.com/container-platform/4.8/networking/network_policy/about-network-policy.html external link.
6 (Optional) You can restrict the Netcool Operations Insight pods in a namespace to only run on worker nodes with a specific tag. You can tag worker nodes by adding the tag env=test or app=noi. For example, you can run the command:
oc label nodes <yournode> app=noi
and then edit the YAML on the Netcool Operations Insight namespace by adding the node-selector to the annotations section. You can run the following command to edit the YAML:
oc edit ns <namespace-name>
The result is:
apiVersion: v1
kind: Namespace
metadata:
 name: <namespace-name>
 annotations:
   scheduler.alpha.kubernetes.io/node-selector: app=noi
spec: {}
status: {}
7
  • Create a service account named noi-service-account.
    oc create serviceaccount noi-service-account -n namespace
    Where namespace is the name of the custom namespace that you will deploy into.
  • Create a custom SCC. The Netcool Operations Insight operator requires a Security Context Constraint (SCC) to be bound to the target service account prior to installation. All pods will use this SCC. An SCC constrains the actions that a pod can perform. You can use either the predefined SCC, privileged, or you can create your own custom SCC. For more information on creating your own custom SCC, see Example Security Context Constraint.
  • Add permissions to the service account.
    oc adm policy add-scc-to-user SCC system:serviceaccount:namespace:noi-service-account
    Where
    • SCC is either privileged or your own custom SCC.
    • namespace is the namespace that you will deploy into.
  • Add the entitlement key secret for downloading images from the IBM Entitled Registry to your service account.
    oc patch serviceaccount noi-service-account -p '{"imagePullSecrets": [{"name": "noi-registry-secret"}]}' -n namespace
    Where
    • noi-registry-secret is the name of the entitlement key secret that you created in step 4. Suggested value is noi-registry-secret.
    • namespace is the namespace that you want to deploy Netcool Operations Insight in.
  • To verify that your service account and SCC have been successfully created, use oc get sa and oc get scc.
  • When creating the custom resource for Netcool Operations Insight, specify the following property to tell the operator not to create the SCC automatically:
    helmValuesNOI:
  "global.rbac.createSCC": false